ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1

General

Target

ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Size

216KB
MD5

11bda24cc4e19c541920134e51876ab8
SHA1

4f2074f4c937b18f4585bab49a5bbdad38f1e9a8
SHA256

ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1
SHA512

d65a8be196d0136647ee774fa0ee18c274e74c40736a7e42f61d37401b8e2ca6c7fee93249a9d0e54b23fc43d3da557052594c1a2c0c50c73742a1fc0c9f6e52
SSDEEP

6144:wVPZ5XI8NKUPuwyvFz/rIwwBrHghSbGq:OPZ5Y84UWJruBrAhS

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies security service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Executes dropped EXE 2 IoCs

pid	Process
1256	Explorer.EXE
464	services.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Unexpected DNS network traffic destination 9 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4
Destination IP	194.165.17.4

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 1800	1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	28
PID 1584 set thread context of 1800	1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	28
PID 1584 set thread context of 1800	1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	28

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-18\\$bb8ab67ad8382496fd4eead6952e3208\\n."	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\clsid	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ThreadingModel = "Both"	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32\ = "C:\\$Recycle.Bin\\S-1-5-21-3845472200-3839195424-595303356-1000\\$bb8ab67ad8382496fd4eead6952e3208\\n."	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

NTFS ADS 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\ja-JP:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpClient.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCommu.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpSvc.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpLics.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\en-US:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpAsDesc.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpEvMsg.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpRes.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MpRTP.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
File opened for modification	C:\Program Files\Windows Defender\MsMpCom.dll:!	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Token: SeDebugPrivilege	1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Token: SeDebugPrivilege	1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1800	1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	28
PID 1584 wrote to memory of 1800	1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	28
PID 1584 wrote to memory of 1800	1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	28
PID 1584 wrote to memory of 1800	1584	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	28
PID 1800 wrote to memory of 1256	1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	16
PID 1800 wrote to memory of 1256	1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	16
PID 1800 wrote to memory of 464	1800	ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe	2

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256
- C:\Users\Admin\AppData\Local\Temp\ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
  "C:\Users\Admin\AppData\Local\Temp\ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Users\Admin\AppData\Local\Temp\ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe
    "C:\Users\Admin\AppData\Local\Temp\ef7dc1b61660664619d49a55e3c40b02ef4a23d7e1e3ecd33b0fcf0ad4a90da1.exe"
    3⤵
    - Modifies security service
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: RenamesItself
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\@

Filesize
2KB

MD5
b274d9653f4d662a3fb29180fc7349a4

SHA1
ae36e8baf4e8f23d22c895f48d188606ea07fdd0

SHA256
d825a55f1bf5ff581a529813af51a0ecf173cb1d9efe869b72fef2ba57bfc95d

SHA512
88dd411286563588479d6f4526f91681c9fdc0512a02ffaa1722e42e93196309e7c0783cdfcc95a9d2767b70ce3a329d2b44689352d4854cc4ee67955a73957e

Download Submit
C:\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-18\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\$bb8ab67ad8382496fd4eead6952e3208\n

Filesize
25KB

MD5
9e0cd37b6d0809cf7d5fa5b521538d0d

SHA1
411ffdbe6c151dbd417bc59fa9dfec22b0adc9f2

SHA256
55d9748f0556576a8d522cf4b8dcfc9717436adcc487d49b3320770432960db2

SHA512
b511ee744dbe6cf0f54cb840d3786e89161115d0038425dde86d57752f76cae7a05f020120b43dc1444bd914c8c1690049e456635cc794fbf90e26794587dfc5

Download Submit
memory/1584-66-0x0000000000250000-0x000000000027B000-memory.dmp

Filesize
172KB

Download
memory/1584-67-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1584-72-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1800-60-0x0000000000430000-0x000000000046C000-memory.dmp

Filesize
240KB

Download
memory/1800-59-0x0000000000431000-0x0000000000456000-memory.dmp

Filesize
148KB

Download
memory/1800-68-0x0000000000260000-0x000000000028B000-memory.dmp

Filesize
172KB

Download
memory/1800-69-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1800-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing