Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

win102

windows10_x64

9

win102

windows10_x64

10

win102

windows10_x64

10

win102

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win103

windows10_x64

8

win103

windows10_x64

9

win103

windows10_x64

10

win103

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

Resubmissions

12-11-2024 01:29

241112-bwgrxs1gnf 10

08-07-2021 12:18

210708-8z6d5h8z2n 10

06-07-2021 17:53

210706-g6we6sa7sa 10

19-06-2021 18:17

210619-vr8bj2dzfn 10

17-06-2021 21:39

210617-a9cvlnmrbx 10

11-06-2021 17:26

210611-wvab1yw2tj 10

08-06-2021 06:47

210608-qrbpch3y46 10

08-06-2021 06:47

210608-64tndgm1ln 10

05-06-2021 18:40

210605-cd6qpr55sx 10

04-06-2021 11:56

210604-5c416rs3ns 10

Analysis

  • max time kernel
    1802s
  • max time network
    1800s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 12:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4.exe

Score
9/10
discoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 17 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2660
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
      • Modifies registry class
      PID:2556
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
      1⤵
        PID:2336
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
        1⤵
          PID:1944
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s SENS
          1⤵
            PID:1408
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Themes
            1⤵
              PID:1256
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s UserManager
              1⤵
                PID:1216
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                1⤵
                  PID:1100
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                  1⤵
                    PID:936
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                    1⤵
                      PID:284
                    • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
                      "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
                      1⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:4084
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
                        2⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:2140
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                          3⤵
                          • Loads dropped DLL
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4024
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3588
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3560
                        • C:\Users\Admin\AppData\Local\Temp\is-DFQ1O.tmp\Install.tmp
                          "C:\Users\Admin\AppData\Local\Temp\is-DFQ1O.tmp\Install.tmp" /SL5="$401C6,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of WriteProcessMemory
                          PID:3872
                          • C:\Users\Admin\AppData\Local\Temp\is-5KTVR.tmp\Ultra.exe
                            "C:\Users\Admin\AppData\Local\Temp\is-5KTVR.tmp\Ultra.exe" /S /UID=burnerch1
                            4⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Drops file in Program Files directory
                            • Modifies system certificate store
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:2268
                            • C:\Program Files\Windows Defender\OAHXJPUNEM\ultramediaburner.exe
                              "C:\Program Files\Windows Defender\OAHXJPUNEM\ultramediaburner.exe" /VERYSILENT
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:184
                              • C:\Users\Admin\AppData\Local\Temp\is-0QNFI.tmp\ultramediaburner.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-0QNFI.tmp\ultramediaburner.tmp" /SL5="$50054,281924,62464,C:\Program Files\Windows Defender\OAHXJPUNEM\ultramediaburner.exe" /VERYSILENT
                                6⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of WriteProcessMemory
                                PID:4008
                                • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                  "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                  7⤵
                                  • Executes dropped EXE
                                  PID:4200
                            • C:\Users\Admin\AppData\Local\Temp\25-d25d5-774-d108f-1b2d3245b8b12\Sicodyfexo.exe
                              "C:\Users\Admin\AppData\Local\Temp\25-d25d5-774-d108f-1b2d3245b8b12\Sicodyfexo.exe"
                              5⤵
                              • Executes dropped EXE
                              • Checks computer location settings
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4116
                            • C:\Users\Admin\AppData\Local\Temp\6f-355d8-111-8ca8d-766367818876b\Qybufojulu.exe
                              "C:\Users\Admin\AppData\Local\Temp\6f-355d8-111-8ca8d-766367818876b\Qybufojulu.exe"
                              5⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4244
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                        2⤵
                        • Executes dropped EXE
                        • Modifies system certificate store
                        • Suspicious use of WriteProcessMemory
                        PID:4376
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4992
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1
                            4⤵
                            • Runs ping.exe
                            PID:5052
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
                        2⤵
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        PID:5100
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
                        2⤵
                        • Executes dropped EXE
                        • Adds Run key to start application
                        PID:6080
                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                          3⤵
                          • Executes dropped EXE
                          PID:5068
                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                          3⤵
                          • Executes dropped EXE
                          PID:5324
                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                          3⤵
                          • Executes dropped EXE
                          PID:2208
                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                          3⤵
                          • Executes dropped EXE
                          PID:1276
                    • \??\c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s BITS
                      1⤵
                      • Suspicious use of SetThreadContext
                      • Modifies data under HKEY_USERS
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3064
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                        2⤵
                        • Checks processor information in registry
                        • Modifies data under HKEY_USERS
                        • Modifies registry class
                        PID:2032
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                        2⤵
                        • Drops file in System32 directory
                        • Checks processor information in registry
                        • Modifies data under HKEY_USERS
                        • Modifies registry class
                        PID:376
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                      1⤵
                      • Drops file in Windows directory
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4756
                    • C:\Windows\system32\browser_broker.exe
                      C:\Windows\system32\browser_broker.exe -Embedding
                      1⤵
                      • Modifies Internet Explorer settings
                      PID:4800
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:4140
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      PID:3044
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      PID:4608
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      PID:5868
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      PID:5232
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      PID:5448
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      PID:1484
                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                      1⤵
                      • Modifies registry class
                      PID:2680

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/184-206-0x0000000000400000-0x0000000000416000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/284-169-0x000001E9D2720000-0x000001E9D2790000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/376-216-0x000001B4B7850000-0x000001B4B78C0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/376-248-0x000001B4B9F00000-0x000001B4BA001000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/376-214-0x000001B4B7770000-0x000001B4B77BB000-memory.dmp

                      Filesize

                      300KB

                      Download

                    • memory/936-164-0x000001FCFCFD0000-0x000001FCFD040000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/936-304-0x000001FCFD6B0000-0x000001FCFD720000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1100-157-0x0000022791B30000-0x0000022791BA0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1100-302-0x0000022791C10000-0x0000022791C80000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1216-312-0x00000219A3EB0000-0x00000219A3F20000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1216-186-0x00000219A3B00000-0x00000219A3B70000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1256-310-0x000001CB5AF60000-0x000001CB5AFD0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1256-184-0x000001CB5A8D0000-0x000001CB5A940000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1408-170-0x000002490C840000-0x000002490C8B0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1408-306-0x000002490C8B0000-0x000002490C920000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1944-182-0x0000021E26FD0000-0x0000021E27040000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/1944-308-0x0000021E27040000-0x0000021E270B0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2032-159-0x0000026BE3F00000-0x0000026BE3F70000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2268-203-0x0000000002500000-0x0000000002502000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2336-297-0x0000022D32400000-0x0000022D32470000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2336-145-0x0000022D32210000-0x0000022D32280000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2336-142-0x0000022D31A80000-0x0000022D31ACB000-memory.dmp

                      Filesize

                      300KB

                      Download

                    • memory/2376-152-0x0000028914880000-0x00000289148F0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2376-300-0x0000028914990000-0x0000028914A00000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2556-155-0x000001833F0D0000-0x000001833F140000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2556-298-0x000001833F190000-0x000001833F200000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2636-188-0x000002BC90080000-0x000002BC900F0000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/2660-190-0x000001D1896C0000-0x000001D189730000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/3064-149-0x000001A093800000-0x000001A093870000-memory.dmp

                      Filesize

                      448KB

                      Download

                    • memory/3560-193-0x0000000000400000-0x000000000042B000-memory.dmp

                      Filesize

                      172KB

                      Download

                    • memory/3588-128-0x0000000002B70000-0x0000000002B71000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3588-126-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3588-131-0x0000000002B80000-0x0000000002B9C000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/3588-135-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3588-165-0x000000001B860000-0x000000001B862000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/3872-199-0x00000000001E0000-0x00000000001E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4008-215-0x00000000001E0000-0x00000000001E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4024-143-0x0000000004A00000-0x0000000004A5C000-memory.dmp

                      Filesize

                      368KB

                      Download

                    • memory/4024-140-0x0000000000ECD000-0x0000000000FCE000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/4116-229-0x0000000002690000-0x0000000002692000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4200-230-0x0000000002930000-0x0000000002932000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4200-241-0x0000000002935000-0x0000000002937000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4200-239-0x0000000002934000-0x0000000002935000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4200-240-0x0000000002932000-0x0000000002934000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4244-237-0x0000000002052000-0x0000000002054000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4244-231-0x0000000002050000-0x0000000002052000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/4376-235-0x0000000000C50000-0x0000000000C5D000-memory.dmp

                      Filesize

                      52KB

                      Download

                    • memory/5100-257-0x0000000003850000-0x0000000003860000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/5100-249-0x00000000036B0000-0x00000000036C0000-memory.dmp

                      Filesize

                      64KB

                      Download