f9da54b2912742131ca8ae08a2a81895915109a21af8dbfb9dab6ead1481337d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Updateexe.exe
Size

591KB
MD5

53388f1619dda917dd62515d5ebca691
SHA1

cc5aeec69eada4166cc002d8232bb0114c671c22
SHA256

f9da54b2912742131ca8ae08a2a81895915109a21af8dbfb9dab6ead1481337d
SHA512

c42da1d9107316bf5da2fb9f72f717d363d203b39a9187713962e5289a80d76d7f8bcd6b37271c08a30f9b441aa49a23655ccbc16089f8a8a65d6e51774e9f53
SSDEEP

12288:/Hky2qkgHoX5RiI3igcaWdJiFfcv0SFWRQwk9G1vz:/H1QgHOLjigwbiFfcvGG59cb

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 4696 created 3164	4696	hdwmi.exe	38
PID 4696 created 3164	4696	hdwmi.exe	38
PID 4696 created 3164	4696	hdwmi.exe	38
PID 2244 created 3164	2244	updater.exe	38
PID 2244 created 3164	2244	updater.exe	38
PID 2244 created 3164	2244	updater.exe	38
PID 2244 created 3164	2244	updater.exe	38

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1776	Value.exe
4696	hdwmi.exe
2244	updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1776 set thread context of 3624	1776	Value.exe	84
PID 2244 set thread context of 5036	2244	updater.exe	105
PID 2244 set thread context of 3680	2244	updater.exe	106

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1284	powershell.exe
1284	powershell.exe
1776	Value.exe
1776	Value.exe
4696	hdwmi.exe
4696	hdwmi.exe
4696	hdwmi.exe
4696	hdwmi.exe
3056	powershell.exe
3056	powershell.exe
4696	hdwmi.exe
4696	hdwmi.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe
3724	powershell.exe
3724	powershell.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe
2244	updater.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	Updateexe.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1776	Value.exe
Token: SeDebugPrivilege	3624	InstallUtil.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeCreatePagefilePrivilege	1912	powercfg.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	1672	powercfg.exe
Token: SeCreatePagefilePrivilege	1672	powercfg.exe
Token: SeShutdownPrivilege	3824	powercfg.exe
Token: SeCreatePagefilePrivilege	3824	powercfg.exe
Token: SeShutdownPrivilege	4796	powercfg.exe
Token: SeCreatePagefilePrivilege	4796	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe
Token: SeBackupPrivilege	3056	powershell.exe
Token: SeRestorePrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeSystemEnvironmentPrivilege	3056	powershell.exe
Token: SeRemoteShutdownPrivilege	3056	powershell.exe
Token: SeUndockPrivilege	3056	powershell.exe
Token: SeManageVolumePrivilege	3056	powershell.exe
Token: 33	3056	powershell.exe
Token: 34	3056	powershell.exe
Token: 35	3056	powershell.exe
Token: 36	3056	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe
Token: SeBackupPrivilege	3056	powershell.exe
Token: SeRestorePrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeSystemEnvironmentPrivilege	3056	powershell.exe
Token: SeRemoteShutdownPrivilege	3056	powershell.exe
Token: SeUndockPrivilege	3056	powershell.exe
Token: SeManageVolumePrivilege	3056	powershell.exe
Token: 33	3056	powershell.exe
Token: 34	3056	powershell.exe
Token: 35	3056	powershell.exe
Token: 36	3056	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 1776 wrote to memory of 3624	1776	Value.exe	84
PID 2824 wrote to memory of 1912	2824	cmd.exe	90
PID 2824 wrote to memory of 1912	2824	cmd.exe	90
PID 2824 wrote to memory of 1672	2824	cmd.exe	91
PID 2824 wrote to memory of 1672	2824	cmd.exe	91
PID 2824 wrote to memory of 3824	2824	cmd.exe	92
PID 2824 wrote to memory of 3824	2824	cmd.exe	92
PID 2824 wrote to memory of 4796	2824	cmd.exe	93
PID 2824 wrote to memory of 4796	2824	cmd.exe	93
PID 3380 wrote to memory of 2760	3380	cmd.exe	101
PID 3380 wrote to memory of 2760	3380	cmd.exe	101
PID 3380 wrote to memory of 4136	3380	cmd.exe	102
PID 3380 wrote to memory of 4136	3380	cmd.exe	102
PID 3380 wrote to memory of 3836	3380	cmd.exe	103
PID 3380 wrote to memory of 3836	3380	cmd.exe	103
PID 3380 wrote to memory of 1780	3380	cmd.exe	104
PID 3380 wrote to memory of 1780	3380	cmd.exe	104
PID 2244 wrote to memory of 5036	2244	updater.exe	105
PID 2244 wrote to memory of 3680	2244	updater.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\Updateexe.exe
  "C:\Users\Admin\AppData\Local\Temp\Updateexe.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fiukzadu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4436
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2760
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:4136
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3836
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fiukzadu#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5036
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe
  2⤵
  PID:3680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Users\Admin\AppData\Local\Count\sudus\Value.exe
C:\Users\Admin\AppData\Local\Count\sudus\Value.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3624

C:\Users\Admin\AppData\Local\Temp\hdwmi.exe
C:\Users\Admin\AppData\Local\Temp\hdwmi.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4696

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Count\sudus\Value.exe

Filesize
591KB

MD5
53388f1619dda917dd62515d5ebca691

SHA1
cc5aeec69eada4166cc002d8232bb0114c671c22

SHA256
f9da54b2912742131ca8ae08a2a81895915109a21af8dbfb9dab6ead1481337d

SHA512
c42da1d9107316bf5da2fb9f72f717d363d203b39a9187713962e5289a80d76d7f8bcd6b37271c08a30f9b441aa49a23655ccbc16089f8a8a65d6e51774e9f53

Download Submit
C:\Users\Admin\AppData\Local\Count\sudus\Value.exe

Filesize
591KB

MD5
53388f1619dda917dd62515d5ebca691

SHA1
cc5aeec69eada4166cc002d8232bb0114c671c22

SHA256
f9da54b2912742131ca8ae08a2a81895915109a21af8dbfb9dab6ead1481337d

SHA512
c42da1d9107316bf5da2fb9f72f717d363d203b39a9187713962e5289a80d76d7f8bcd6b37271c08a30f9b441aa49a23655ccbc16089f8a8a65d6e51774e9f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6c1dd8c5ade1d86bb6772a96d5a65bb

SHA1
9edd35a11a7eee83d5e4d1edb6f63d0c36b1f45f

SHA256
96c68492b33bc8f8a87aa7813eefc8c82990e0d0a3126e29bc0ee89b3b195c5d

SHA512
c8010e0384cec5a0b355470ac663cf745ae086e01e97f184e09d5a2134224a6247f79d43fc2515f7b52b94452750d7229738be12f3e1f0e79da64186433417c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rswvsshk.eke.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdwmi.exe

Filesize
9.8MB

MD5
47b23e6a12591b9da45e69c443c60047

SHA1
c93142e757e8b433b8399c67c2683109206c38f6

SHA256
184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e

SHA512
bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hdwmi.exe

Filesize
9.8MB

MD5
47b23e6a12591b9da45e69c443c60047

SHA1
c93142e757e8b433b8399c67c2683109206c38f6

SHA256
184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e

SHA512
bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
47b23e6a12591b9da45e69c443c60047

SHA1
c93142e757e8b433b8399c67c2683109206c38f6

SHA256
184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e

SHA512
bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe

Filesize
9.8MB

MD5
47b23e6a12591b9da45e69c443c60047

SHA1
c93142e757e8b433b8399c67c2683109206c38f6

SHA256
184b289d4805a2ddb2ffee544da05890b7b9f30569cfceb1b19563b3a98f520e

SHA512
bb9882ecd2c1361694709fbb6fe75a8f7c7b184762317d5a639b9f12b80528289c31ba8328514a8d46dfc62f54bf776baa516f97e248d4e1580ac3f43681fcb4

Download Submit
memory/1284-2336-0x00000269F3CB0000-0x00000269F3CC0000-memory.dmp

Filesize
64KB

Download
memory/1284-2337-0x00000269F3CB0000-0x00000269F3CC0000-memory.dmp

Filesize
64KB

Download
memory/1284-2325-0x00000269F3840000-0x00000269F3862000-memory.dmp

Filesize
136KB

Download
memory/1284-2335-0x00000269F3CB0000-0x00000269F3CC0000-memory.dmp

Filesize
64KB

Download
memory/1776-2540-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/1776-4528-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3056-6733-0x00000230A2E60000-0x00000230A2E70000-memory.dmp

Filesize
64KB

Download
memory/3056-6734-0x00000230A2E60000-0x00000230A2E70000-memory.dmp

Filesize
64KB

Download
memory/3056-6735-0x00000230A2E60000-0x00000230A2E70000-memory.dmp

Filesize
64KB

Download
memory/3624-4669-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3624-6718-0x0000000004E50000-0x0000000004E60000-memory.dmp

Filesize
64KB

Download
memory/3680-6762-0x00000291A2070000-0x00000291A20B0000-memory.dmp

Filesize
256KB

Download
memory/3680-6767-0x0000029180020000-0x0000029180040000-memory.dmp

Filesize
128KB

Download
memory/3724-6742-0x000001B770950000-0x000001B770960000-memory.dmp

Filesize
64KB

Download
memory/3724-6748-0x000001B770950000-0x000001B770960000-memory.dmp

Filesize
64KB

Download
memory/3724-6754-0x000001B770950000-0x000001B770960000-memory.dmp

Filesize
64KB

Download
memory/4952-157-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-166-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-184-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-186-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-188-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-190-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-192-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-194-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-196-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-198-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-2097-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4952-2322-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4952-180-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-178-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-176-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-174-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-172-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-170-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-168-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-182-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-164-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-162-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-133-0x0000000000790000-0x000000000082A000-memory.dmp

Filesize
616KB

Download
memory/4952-159-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/4952-160-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-155-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-153-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-151-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-149-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-147-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-145-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-143-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-141-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-139-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-137-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-135-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download
memory/4952-134-0x00000000050E0000-0x00000000051C0000-memory.dmp

Filesize
896KB

Download