Analysis

  • max time kernel
    79s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/02/2024, 12:12

General

  • Target

    Optimizer-16.4.exe

  • Size

    2.3MB

  • MD5

    9352623ba2fee1206079ce3d81bf0132

  • SHA1

    9c398c2d975d82ba1e46f3bcc0e6298a2b713b8d

  • SHA256

    f4775567ca9941b4fb3224d97b0741ae669eedfcb0d8b3c71106b21bdb1aee28

  • SHA512

    a38cef70819524a3ba8d7583b763da3fac71a9b67e832165f14f60568f7a2a07f67418bb7f7a544b32aa3d76a4fa9a6b142a3998cf362a116171ed4fae05187e

  • SSDEEP

    24576:QqsJmQYTZZ4GKTnbv7DO9JvvEC8ZJC3Bjk38WuBcAbwoA/BkjSHXP36RMG:QMH4VTnbv7uEC8Zw3CSA/Bkj0

Malware Config

Signatures

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Sets file execution options in registry 2 TTPs 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Disables Windows logging functionality 2 TTPs

    Changes registry settings to disable Windows Event logging.

  • Modifies Control Panel 9 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 18 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe
    "C:\Users\Admin\AppData\Local\Temp\Optimizer-16.4.exe"
    1⤵
    • Modifies visibility of file extensions in Explorer
    • Sets file execution options in registry
    • Checks computer location settings
    • Modifies Control Panel
    • Modifies Internet Explorer Phishing Filter
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2668
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\system32\sc.exe
        sc config "RemoteRegistry" start= disabled
        3⤵
        • Launches sc.exe
        PID:976
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\system32\icacls.exe
        icacls C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger /deny SYSTEM:`(OI`)`(CI`)F
        3⤵
        • Modifies file permissions
        PID:3132
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\system32\schtasks.exe
        schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
        3⤵
          PID:4272
        • C:\Windows\system32\schtasks.exe
          schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
          3⤵
            PID:2296
          • C:\Windows\system32\schtasks.exe
            schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
            3⤵
              PID:2248
            • C:\Windows\system32\schtasks.exe
              schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
              3⤵
                PID:3956
              • C:\Windows\system32\schtasks.exe
                schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
                3⤵
                  PID:1860
                • C:\Windows\system32\schtasks.exe
                  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
                  3⤵
                    PID:1472
                  • C:\Windows\system32\schtasks.exe
                    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
                    3⤵
                      PID:1616
                    • C:\Windows\system32\schtasks.exe
                      schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
                      3⤵
                        PID:3388
                      • C:\Windows\system32\schtasks.exe
                        schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
                        3⤵
                          PID:3484
                        • C:\Windows\system32\schtasks.exe
                          schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
                          3⤵
                            PID:3584
                          • C:\Windows\system32\schtasks.exe
                            schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
                            3⤵
                              PID:2288
                            • C:\Windows\system32\schtasks.exe
                              schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
                              3⤵
                                PID:5068
                              • C:\Windows\system32\schtasks.exe
                                schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
                                3⤵
                                  PID:4760
                                • C:\Windows\system32\schtasks.exe
                                  schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
                                  3⤵
                                    PID:1656
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
                                    3⤵
                                      PID:4444
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable"
                                      3⤵
                                        PID:3892
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
                                        3⤵
                                          PID:4948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
                                          3⤵
                                            PID:3736
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
                                            3⤵
                                              PID:1588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
                                              3⤵
                                                PID:2044
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
                                                3⤵
                                                  PID:2020
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
                                                  3⤵
                                                    PID:2176
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
                                                    3⤵
                                                      PID:644
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
                                                      3⤵
                                                        PID:3948
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
                                                        3⤵
                                                          PID:3384
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
                                                          3⤵
                                                            PID:220
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
                                                            3⤵
                                                              PID:2164
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
                                                              3⤵
                                                                PID:3300
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
                                                                3⤵
                                                                  PID:1096
                                                                • C:\Windows\system32\schtasks.exe
                                                                  schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
                                                                  3⤵
                                                                    PID:3904
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
                                                                    3⤵
                                                                      PID:2364
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
                                                                      3⤵
                                                                        PID:1844
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
                                                                        3⤵
                                                                          PID:3380
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
                                                                          3⤵
                                                                            PID:3352
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
                                                                            3⤵
                                                                              PID:1200
                                                                            • C:\Windows\system32\schtasks.exe
                                                                              schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
                                                                              3⤵
                                                                                PID:1040
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
                                                                                3⤵
                                                                                  PID:2912
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
                                                                                  3⤵
                                                                                    PID:2612
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
                                                                                    3⤵
                                                                                      PID:2696
                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                      schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
                                                                                      3⤵
                                                                                        PID:4640
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        schtasks /end /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)"
                                                                                        3⤵
                                                                                          PID:864
                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                          schtasks /change /tn "\Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable
                                                                                          3⤵
                                                                                            PID:3212
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
                                                                                            3⤵
                                                                                              PID:3272
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
                                                                                              3⤵
                                                                                                PID:4788
                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
                                                                                                3⤵
                                                                                                  PID:2716
                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                  schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
                                                                                                  3⤵
                                                                                                    PID:772
                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
                                                                                                    3⤵
                                                                                                      PID:4944
                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                      schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
                                                                                                      3⤵
                                                                                                        PID:4860
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        schtasks /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /Disable
                                                                                                        3⤵
                                                                                                          PID:4940
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /Disable
                                                                                                          3⤵
                                                                                                            PID:2980
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            schtasks /Change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /Disable
                                                                                                            3⤵
                                                                                                              PID:3096
                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                              schtasks /end /tn "\Microsoft\Windows\HelloFace\FODCleanupTask"
                                                                                                              3⤵
                                                                                                                PID:408
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                schtasks /change /tn "\Microsoft\Windows\HelloFace\FODCleanupTask" /disable
                                                                                                                3⤵
                                                                                                                  PID:1716
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
                                                                                                                  3⤵
                                                                                                                    PID:1720
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
                                                                                                                    3⤵
                                                                                                                      PID:1124
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
                                                                                                                      3⤵
                                                                                                                        PID:3120
                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                        schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
                                                                                                                        3⤵
                                                                                                                          PID:4452
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          schtasks /end /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask"
                                                                                                                          3⤵
                                                                                                                            PID:452
                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                            schtasks /change /tn "\Microsoft\Windows\Application Experience\PcaPatchDbTask" /disable
                                                                                                                            3⤵
                                                                                                                              PID:4616
                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                              schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
                                                                                                                              3⤵
                                                                                                                                PID:4736
                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                schtasks /change /tn "\Microsoft\Windows\Device Information\Device" /disable
                                                                                                                                3⤵
                                                                                                                                  PID:4708
                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                  schtasks /end /tn "\Microsoft\Windows\Device Information\Device User"
                                                                                                                                  3⤵
                                                                                                                                    PID:2264
                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                    schtasks /change /tn "\Microsoft\Windows\Device Information\Device User" /disable
                                                                                                                                    3⤵
                                                                                                                                      PID:1152
                                                                                                                                  • C:\Windows\System32\shutdown.exe
                                                                                                                                    "C:\Windows\System32\shutdown.exe" /r /t 0
                                                                                                                                    2⤵
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:976
                                                                                                                                • C:\Windows\system32\LogonUI.exe
                                                                                                                                  "LogonUI.exe" /flags:0x4 /state0:0xa39bb055 /state1:0x41c64e6d
                                                                                                                                  1⤵
                                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                  PID:4720

                                                                                                                                Network

                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\ProgramData\Optimizer\Optimizer.json

                                                                                                                                        Filesize

                                                                                                                                        2KB

                                                                                                                                        MD5

                                                                                                                                        6b67d4971607b5050f86886ce9eeac6e

                                                                                                                                        SHA1

                                                                                                                                        11e812da278994cef6c50171c7494379dd34057a

                                                                                                                                        SHA256

                                                                                                                                        1cf9b8c1ab1a3f3b0535e9176b3434793364ad4cd5a40175e390184f1fe5f60c

                                                                                                                                        SHA512

                                                                                                                                        6b63200bb2773792c652496a6a1899ad6b58450a467b62294aef699cd2b3e75aa780012e6eb6bfafb62ab3aeeca2dc2084557718b52037852cf91a5ff388bb4c

                                                                                                                                      • C:\ProgramData\Optimizer\Required\DisableTelemetryTasks.bat

                                                                                                                                        Filesize

                                                                                                                                        5KB

                                                                                                                                        MD5

                                                                                                                                        cb03c3144aaff8fb1c3497c403c2b60f

                                                                                                                                        SHA1

                                                                                                                                        ba4380abb20eaaeb638cdb142452def731817212

                                                                                                                                        SHA256

                                                                                                                                        abd9b7c86e9186c4af174c2a630629588ec89a716d3ff04d357d2610e490c8d3

                                                                                                                                        SHA512

                                                                                                                                        d76cf1fa9662bbafc931eb3720213e30a99de34ae0d92ff90a52a761555fc934fc9822c6beeddb882fabf990b30b17e8bf35b8acbc9d9898618d38fc259e9660

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_joxftp02.ez0.ps1

                                                                                                                                        Filesize

                                                                                                                                        60B

                                                                                                                                        MD5

                                                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                        SHA1

                                                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                        SHA256

                                                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                        SHA512

                                                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                      • memory/2668-49-0x000001A2E0350000-0x000001A2E035A000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        40KB

                                                                                                                                      • memory/2668-66-0x000001A2E0BC0000-0x000001A2E0BD2000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        72KB

                                                                                                                                      • memory/2668-25-0x000001A2DC310000-0x000001A2DC332000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        136KB

                                                                                                                                      • memory/2668-27-0x000001A2DC3C0000-0x000001A2DC3DE000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        120KB

                                                                                                                                      • memory/2668-28-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-30-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-29-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-31-0x00007FFD03160000-0x00007FFD03C21000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        10.8MB

                                                                                                                                      • memory/2668-32-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-3-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-48-0x000001A2E0330000-0x000001A2E0346000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        88KB

                                                                                                                                      • memory/2668-0-0x000001A2C1B80000-0x000001A2C1DD8000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        2.3MB

                                                                                                                                      • memory/2668-50-0x000001A2E03C0000-0x000001A2E03E6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        152KB

                                                                                                                                      • memory/2668-24-0x000001A2DCA40000-0x000001A2DCAB6000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        472KB

                                                                                                                                      • memory/2668-67-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-68-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-69-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-70-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-72-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-73-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-74-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-75-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-76-0x000001A2DC430000-0x000001A2DC440000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/2668-2-0x000001A2DC260000-0x000001A2DC312000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        712KB

                                                                                                                                      • memory/2668-1-0x00007FFD03160000-0x00007FFD03C21000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        10.8MB

                                                                                                                                      • memory/2668-84-0x00007FFD03160000-0x00007FFD03C21000-memory.dmp

                                                                                                                                        Filesize

                                                                                                                                        10.8MB