b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Size

204KB
MD5

896bee8216e0354b2dce57cbf95fdcae
SHA1

34bb0f59699b5a70c6e924a6128dbe8c4726fd33
SHA256

b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90
SHA512

e40efb01c47fa08a77985a8151bc75978e19a8a38f51ee12dcfdfd8a932b6920a97999bd1186c01405266d80fab718447d8edf18f649aeaa09e630ed3cfea427
SSDEEP

6144:bcdOSKq1G5JU09zZd6n0xWWq2oM3/wCeeR0AI01Ak:wwi8Ugz+NG/wQvI0

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	kaxom.exe

Deletes itself 1 IoCs

pid	Process
676	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	kaxom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	kaxom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tiyritmo = "C:\\Users\\Admin\\AppData\\Roaming\\Ymevyx\\kaxom.exe"	kaxom.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\3B7F19B4-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe
2028	kaxom.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeManageVolumePrivilege	692	WinMail.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
Token: SeSecurityPrivilege	676	cmd.exe
Token: SeSecurityPrivilege	676	cmd.exe
Token: SeSecurityPrivilege	676	cmd.exe
Token: SeSecurityPrivilege	676	cmd.exe
Token: SeSecurityPrivilege	676	cmd.exe
Token: SeSecurityPrivilege	676	cmd.exe
Token: SeSecurityPrivilege	676	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
692	WinMail.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2028	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	27
PID 1768 wrote to memory of 2028	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	27
PID 1768 wrote to memory of 2028	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	27
PID 1768 wrote to memory of 2028	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	27
PID 2028 wrote to memory of 1236	2028	kaxom.exe	13
PID 2028 wrote to memory of 1236	2028	kaxom.exe	13
PID 2028 wrote to memory of 1236	2028	kaxom.exe	13
PID 2028 wrote to memory of 1236	2028	kaxom.exe	13
PID 2028 wrote to memory of 1236	2028	kaxom.exe	13
PID 2028 wrote to memory of 1336	2028	kaxom.exe	12
PID 2028 wrote to memory of 1336	2028	kaxom.exe	12
PID 2028 wrote to memory of 1336	2028	kaxom.exe	12
PID 2028 wrote to memory of 1336	2028	kaxom.exe	12
PID 2028 wrote to memory of 1336	2028	kaxom.exe	12
PID 2028 wrote to memory of 1388	2028	kaxom.exe	10
PID 2028 wrote to memory of 1388	2028	kaxom.exe	10
PID 2028 wrote to memory of 1388	2028	kaxom.exe	10
PID 2028 wrote to memory of 1388	2028	kaxom.exe	10
PID 2028 wrote to memory of 1388	2028	kaxom.exe	10
PID 2028 wrote to memory of 1768	2028	kaxom.exe	26
PID 2028 wrote to memory of 1768	2028	kaxom.exe	26
PID 2028 wrote to memory of 1768	2028	kaxom.exe	26
PID 2028 wrote to memory of 1768	2028	kaxom.exe	26
PID 2028 wrote to memory of 1768	2028	kaxom.exe	26
PID 2028 wrote to memory of 692	2028	kaxom.exe	28
PID 2028 wrote to memory of 692	2028	kaxom.exe	28
PID 2028 wrote to memory of 692	2028	kaxom.exe	28
PID 2028 wrote to memory of 692	2028	kaxom.exe	28
PID 2028 wrote to memory of 692	2028	kaxom.exe	28
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 1768 wrote to memory of 676	1768	b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe	29
PID 2028 wrote to memory of 1916	2028	kaxom.exe	30
PID 2028 wrote to memory of 1916	2028	kaxom.exe	30
PID 2028 wrote to memory of 1916	2028	kaxom.exe	30
PID 2028 wrote to memory of 1916	2028	kaxom.exe	30
PID 2028 wrote to memory of 1916	2028	kaxom.exe	30
PID 2028 wrote to memory of 1044	2028	kaxom.exe	31
PID 2028 wrote to memory of 1044	2028	kaxom.exe	31
PID 2028 wrote to memory of 1044	2028	kaxom.exe	31
PID 2028 wrote to memory of 1044	2028	kaxom.exe	31
PID 2028 wrote to memory of 1044	2028	kaxom.exe	31
PID 2028 wrote to memory of 1600	2028	kaxom.exe	32
PID 2028 wrote to memory of 1600	2028	kaxom.exe	32
PID 2028 wrote to memory of 1600	2028	kaxom.exe	32
PID 2028 wrote to memory of 1600	2028	kaxom.exe	32
PID 2028 wrote to memory of 1600	2028	kaxom.exe	32
PID 2028 wrote to memory of 1484	2028	kaxom.exe	33
PID 2028 wrote to memory of 1484	2028	kaxom.exe	33
PID 2028 wrote to memory of 1484	2028	kaxom.exe	33
PID 2028 wrote to memory of 1484	2028	kaxom.exe	33
PID 2028 wrote to memory of 1484	2028	kaxom.exe	33
PID 2028 wrote to memory of 1984	2028	kaxom.exe	34
PID 2028 wrote to memory of 1984	2028	kaxom.exe	34
PID 2028 wrote to memory of 1984	2028	kaxom.exe	34
PID 2028 wrote to memory of 1984	2028	kaxom.exe	34
PID 2028 wrote to memory of 1984	2028	kaxom.exe	34
PID 2028 wrote to memory of 1768	2028	kaxom.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe
  "C:\Users\Admin\AppData\Local\Temp\b89a14df1fe68514c58810ec421ff60168888b6971a1a46ff97d4474b925fd90.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe
    "C:\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7b6a1d56.bat"
    3⤵
    - Deletes itself
    - Suspicious use of AdjustPrivilegeToken
    PID:676

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1336

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1236

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1590712757-562472613-708758500-18758177482143249131443055514879079243-927503904"
1⤵
PID:1916

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1044

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1984

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1768

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7b6a1d56.bat

Filesize
307B

MD5
180563b06c394b734aa34c70473e1121

SHA1
0a719443ce4cc82da56dade01aca332a17072646

SHA256
9c9be085372c5bbe2617f91b1a2e53ec4fbae76c6544718a495fe6b99899c886

SHA512
c9af773e571a2fb8b9f8077a4824cc92a5833b1a267ced14b59f1b0858ae5cc60efe8e5bb6b7c4dff919ca8d88b8dfa3d8bb2ea07b6264baea9aa95c8a6334f5

Download Submit
C:\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe

Filesize
204KB

MD5
c0986c157e7fdcbe42002d5f8cb65783

SHA1
99d6cf4c1654f55aec866b4619e0b620c58bfa6f

SHA256
583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8

SHA512
d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12

Download Submit
C:\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe

Filesize
204KB

MD5
c0986c157e7fdcbe42002d5f8cb65783

SHA1
99d6cf4c1654f55aec866b4619e0b620c58bfa6f

SHA256
583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8

SHA512
d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12

Download Submit
C:\Users\Admin\AppData\Roaming\Yrboqe\avmeo.iwo

Filesize
4KB

MD5
0ea96a456d66e809598b9439f1c2e62b

SHA1
33056a433840647711c8a70e4b5ade7b07438417

SHA256
563ce8795a9d71b5c238dbdf985c68d8f14e2827a82f817bdcfab5399a77976a

SHA512
abc3fcab00b3199f1199b7153dc5e449ea908ef8c8fa86e25acb8a73768c66a4ce623808757ec21bca7e6e17803119b148c37ba294b8ae437437a6459fddb752

Download Submit
\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe

Filesize
204KB

MD5
c0986c157e7fdcbe42002d5f8cb65783

SHA1
99d6cf4c1654f55aec866b4619e0b620c58bfa6f

SHA256
583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8

SHA512
d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12

Download Submit
\Users\Admin\AppData\Roaming\Ymevyx\kaxom.exe

Filesize
204KB

MD5
c0986c157e7fdcbe42002d5f8cb65783

SHA1
99d6cf4c1654f55aec866b4619e0b620c58bfa6f

SHA256
583b68f37f8ac96b00e38ff57b5266d52dfea2d008c5e69f05176a092e6ed3a8

SHA512
d819cce16a928fcf386159944a59f3aa73f4054478076d8e069831a76f695d11db47a15a557df71fabe6624963eb4ace763e5b40ca1552958d06cf883e83df12

Download Submit
memory/676-373-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/1236-69-0x0000000000410000-0x000000000044B000-memory.dmp

Filesize
236KB

Download
memory/1236-70-0x0000000000410000-0x000000000044B000-memory.dmp

Filesize
236KB

Download
memory/1236-68-0x0000000000410000-0x000000000044B000-memory.dmp

Filesize
236KB

Download
memory/1236-71-0x0000000000410000-0x000000000044B000-memory.dmp

Filesize
236KB

Download
memory/1236-66-0x0000000000410000-0x000000000044B000-memory.dmp

Filesize
236KB

Download
memory/1336-76-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1336-75-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1336-77-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1336-74-0x00000000002B0000-0x00000000002EB000-memory.dmp

Filesize
236KB

Download
memory/1388-80-0x0000000002A70000-0x0000000002AAB000-memory.dmp

Filesize
236KB

Download
memory/1388-81-0x0000000002A70000-0x0000000002AAB000-memory.dmp

Filesize
236KB

Download
memory/1388-83-0x0000000002A70000-0x0000000002AAB000-memory.dmp

Filesize
236KB

Download
memory/1388-82-0x0000000002A70000-0x0000000002AAB000-memory.dmp

Filesize
236KB

Download
memory/1768-110-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-88-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-87-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-90-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-89-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-94-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-92-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-100-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-98-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-102-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-96-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-104-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-112-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-116-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-114-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-55-0x00000000002B0000-0x000000000031A000-memory.dmp

Filesize
424KB

Download
memory/1768-108-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-118-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-230-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1768-86-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-54-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1768-56-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1768-120-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-122-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-126-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-124-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-247-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-216-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-106-0x00000000004B0000-0x00000000004EB000-memory.dmp

Filesize
236KB

Download
memory/1768-246-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1768-57-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2028-214-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2028-62-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2028-386-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2028-63-0x00000000006D0000-0x000000000073A000-memory.dmp

Filesize
424KB

Download