Overview

overview

8

Static

static

3

7dffcd6eaa...df.exe

windows7-x64

7

7dffcd6eaa...df.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/01/2024, 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dffcd6eaa2799b068f2e2ba1a478adf.exe

  • Size

    860KB

  • MD5

    7dffcd6eaa2799b068f2e2ba1a478adf

  • SHA1

    a84410d13fb727171844bbdb6eafbf22063cc909

  • SHA256

    e6bc73137e636b0c3362555d89e8c2926296b10be2eee4f296e6f0108430616a

  • SHA512

    f24fd5e7f93e1f95e5aee49c4be2e53fd12e34be16f4995b0d080bc82ec153a67b468d2e90d8e975a3626e2e6efa8b917fd625c266f860e4b3f4551c0c7a522c

  • SSDEEP

    12288:X2XVjff7xoNkvIPbQjqhQyHX1h5FxSbEAlJWWFYVxDG3p5n84Y6Ewq/FAkEtHZ:4VvxoGvgQjqrsbbWWFYVA84Y6EwEA1

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 33 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dffcd6eaa2799b068f2e2ba1a478adf.exe
    "C:\Users\Admin\AppData\Local\Temp\7dffcd6eaa2799b068f2e2ba1a478adf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 836
        3⤵
        • Program crash
        PID:4032
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 872
        3⤵
        • Program crash
        PID:3248
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1108
        3⤵
        • Program crash
        PID:5008
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1164
        3⤵
        • Program crash
        PID:2980
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1148
        3⤵
        • Program crash
        PID:4776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1220
        3⤵
        • Program crash
        PID:3828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1296
        3⤵
        • Program crash
        PID:3228
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1304
        3⤵
        • Program crash
        PID:4320
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1388
        3⤵
        • Program crash
        PID:2888
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1796
        3⤵
        • Program crash
        PID:2360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 1296
        3⤵
        • Program crash
        PID:3432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2628 -ip 2628
    1⤵
      PID:4924
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2628 -ip 2628
      1⤵
        PID:4368
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2628 -ip 2628
        1⤵
          PID:1604
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2628 -ip 2628
          1⤵
            PID:1596
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2628 -ip 2628
            1⤵
              PID:3380
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2628 -ip 2628
              1⤵
                PID:4840
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2628 -ip 2628
                1⤵
                  PID:4616
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2628 -ip 2628
                  1⤵
                    PID:3912
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2628 -ip 2628
                    1⤵
                      PID:4292
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:1440
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        PID:1664
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:4068
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:2480
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:4804
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SendNotifyMessage
                        PID:4620
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:3048
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:4196
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SendNotifyMessage
                        PID:3020
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:2200
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:3520
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        PID:3248
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:4320
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4840
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1172
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        PID:2336
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4216
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of SetWindowsHookEx
                        PID:2632
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4164
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:2712
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2628 -ip 2628
                      1⤵
                        PID:1572
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2628 -ip 2628
                        1⤵
                          PID:4876

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\isecurity.exe
                          Filesize

                          854KB

                          MD5

                          3beaff4a6d619ddb0d918d937c9689f1

                          SHA1

                          e17aedd9b5b86e4480df670d64e1bac52986155f

                          SHA256

                          f3053d619fe355f704ac2fa61c27bd2ae1350aa09e29c3633bd7e85c0b33a9dd

                          SHA512

                          131d20e9349aa05b7db31f79e4496259444d9cc843bb5dc63f76538f63793a8f7c6e28b2e91d1df450501207dfe4571dc78cd41536692f584114876072d840dd

                          Download Submit

                        • C:\ProgramData\isecurity.exe
                          Filesize

                          660KB

                          MD5

                          5dc32881aa3dd7891a0699ccbec54c88

                          SHA1

                          11315c4257ff5a7fa5587a38a6c50e5dc07bf01a

                          SHA256

                          6ed5eca26d0b01b874852d749016cd99bb66bf91217b3578514899f9ff56ded4

                          SHA512

                          a8977610e2cf7a964521abf2209d2d5e24d45b640652a6c5039e053a899f14327e50181b3ef04145f0fd08cd791efde0213350c5ee411f2227362795e445a6be

                          Download Submit

                        • C:\ProgramData\isecurity.exe
                          Filesize

                          677KB

                          MD5

                          623ebb75a47901bf917116a1e0bc77ce

                          SHA1

                          2393ca9b7b22f39553e018f4f141172bee83ede7

                          SHA256

                          4694a118229738abd961bcc7863ae88c4cfa24be27a3a1572819560e2447ca4e

                          SHA512

                          9b9f5e3de777ce70084e70e8b7adfd68bc445f7b05030ecccfd21c90ed1205b2f03fff65952b6ea3b0bcd726df227947feea8f7e081f4e34372f1aaf51dc9ad9

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                          Filesize

                          471B

                          MD5

                          1d1d55a47fcb3e80e094d13fe0dfa614

                          SHA1

                          6fa941a772a675946b15f1d4436dbd09b665ff91

                          SHA256

                          35fff33b6d5781754a42ef7b79f0a1959ea8af7ce448007a8e808aece27d6e1f

                          SHA512

                          0db86199fdf82e1af339a737be09ed35fc4eed0fe103288464d36114fa0493ed5d0c047a8c0f2b7abdeb7ffbfb565a89490e78fb2d09f040aaa51c3b768dd26f

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                          Filesize

                          412B

                          MD5

                          9dbb4fc6ad4e1eb6e38ad992a4810196

                          SHA1

                          64f22106ef4b2d4ea5c2604111748873405683f1

                          SHA256

                          2ab819f7d8cb0927fddefafcc6417d0b195373a03a3bab644bf9d826ff18fdac

                          SHA512

                          2fadf03f2635998876f0b005f11d6005e0e40affc03f4d4bde027872bf04df300ca4252cf5e97873b561106f9abd2ad4d8ae190e60f91e53248fdfb28bf92f8e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                          Filesize

                          1022B

                          MD5

                          58a9e47cacd4881d39ceb1749df616a8

                          SHA1

                          fef08e32fe0de36f643d581a1bda5bba036dc840

                          SHA256

                          ec02c34f4bffbc296dc91356fc314695648fca2eded2085e354673a13ed7db70

                          SHA512

                          601190c4805fd53a91984bb3fec3cd09d6ca25f573af06df2b620f1974f7a45b52d24eef1ca027e354125c264ebd0be12b9050e176b6bcf1dba43e775ecd5575

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                          Filesize

                          2KB

                          MD5

                          cccb6e3d9705c309f6a2274bde744eb7

                          SHA1

                          c4d77de00d0ea87c9fcf171d66cbb2f423f3379d

                          SHA256

                          f889e0fefffde9dedeb1677b2ace05a8247fc14e9e6175a7820c0cf881f9f45d

                          SHA512

                          b67eaf7e9b5b6defbbd7d1f71f12734b56a746448602a25e6e13c06e7c1cbfb855d03e37279aea62f9a57092685e134b30e9d09dd6da3c4d82f9d96823c8b0e4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\V50TXLKS\microsoft.windows[1].xml
                          Filesize

                          97B

                          MD5

                          0dd9849d7dcb276fe7952fbef01f27d2

                          SHA1

                          696b4212cc8a84291f88203695dbfe81567db0b9

                          SHA256

                          ab905cb2e3d901f2d2e2abbe041717c3c220c2fbf8f5a6b84554246918e1ccd0

                          SHA512

                          7c9ee87c2c2a4bb137141e1fdf4d5f64e3873c734dc3848bc98d9f4c5511c11124a700ce84c927ad8d76f6afbd3f8fa653a70f744927517249fda132767ca715

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\{4A462284-7CA6-4F97-BECD-7308D3EA6CAD}.png
                          Filesize

                          6KB

                          MD5

                          099ba37f81c044f6b2609537fdb7d872

                          SHA1

                          470ef859afbce52c017874d77c1695b7b0f9cb87

                          SHA256

                          8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

                          SHA512

                          837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

                          Download Submit

                        • C:\Users\Public\Desktop\Internet Security.lnk
                          Filesize

                          682B

                          MD5

                          fbdc607ba93c0a626664234fe91a0914

                          SHA1

                          654d9548c12393f08905eedc86212dc3e028ec4a

                          SHA256

                          78df829eaf191bdf1a99f2175c9c793e3146e505f22a05691728582eea4a9fee

                          SHA512

                          98ee79bbc44c6166fd914f9cae2889ca6eba1746eb9ecb9a52479aa311a2736c1429a58858a3718fa2ed535833614851df7616ddb8f94cd19bdecf17ea682dd2

                          Download Submit

                        • memory/1340-1-0x00000000006B0000-0x00000000006B1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1340-7-0x0000000000400000-0x0000000000507000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/1340-2-0x0000000000400000-0x0000000000507000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/1340-0-0x0000000000400000-0x0000000000507000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/1664-25-0x0000000004C80000-0x0000000004C81000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2628-123-0x0000000000C00000-0x0000000000C01000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2628-108-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-147-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-37-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-146-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-145-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-144-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-141-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-18-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-140-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-17-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-139-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-134-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-133-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-15-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-19-0x0000000000C00000-0x0000000000C01000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2628-116-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-115-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-14-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-124-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-131-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2628-132-0x0000000000400000-0x0000000000A40000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2632-82-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2712-95-0x00000139EBE00000-0x00000139EBE20000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2712-93-0x00000139EBA00000-0x00000139EBA20000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2712-90-0x00000139EBA40000-0x00000139EBA60000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/3248-42-0x00000000032A0000-0x00000000032A1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4620-34-0x0000000004420000-0x0000000004421000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-52-0x000002475F220000-0x000002475F240000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4840-54-0x000002475F840000-0x000002475F860000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4840-50-0x000002475F260000-0x000002475F280000-memory.dmp

                          Filesize

                          128KB

                          Download