Resubmissions

16-07-2024 12:47

240716-p1ep1swcmh 8

13-06-2024 01:22

240613-brastayfnd 8

Analysis

  • max time kernel
    90s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-06-2024 01:22

General

  • Target

    uninstalltool_setup.exe

  • Size

    5.7MB

  • MD5

    417161bef8a9990d7d99cd660042608d

  • SHA1

    8b319c3ec6cff5a598f7ee3be643a1e13ac85a1b

  • SHA256

    66b696e76af8e72272883e22e7f5e42e168195c2e42fddf6d9e4e59c8a003ee4

  • SHA512

    3603a744fad93c6b0f48a9ab5795193b0c5c5e145fa80d5c5b0214efc62b39e80d3c83fe04b90b48aca2dd504c4b4f6cfa3f896f66cf76dc204e661ba36b0ae6

  • SSDEEP

    98304:mkL6cnCk9EjDxlSQSk0StENJ6+t22o0LPfG8I2zCFqCmRY4z6FSQ8l5ocPCfEWa:Rt92xcQF7tETN22o6XGN2lRqcr5bWa

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Drops file in Drivers directory 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 56 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies system executable filetype association 2 TTPs 4 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe
      "C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4896
      • C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp" /SL5="$4021A,4977297,845824,C:\Users\Admin\AppData\Local\Temp\uninstalltool_setup.exe"
        3⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt.dll"
          4⤵
          • Loads dropped DLL
          • Modifies system executable filetype association
          • Registers COM server for autorun
          • Modifies registry class
          PID:1612
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3728
          • C:\Windows\SysWOW64\regsvr32.exe
            /s "C:\Program Files\Uninstall Tool\UTShellExt_x86.dll"
            5⤵
            • Loads dropped DLL
            • Modifies system executable filetype association
            • Modifies registry class
            PID:4936
        • C:\Program Files\Uninstall Tool\PinToTaskbar.exe
          "C:\Program Files\Uninstall Tool\PinToTaskbar.exe" /pin UninstallTool.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1088
        • C:\Program Files\Uninstall Tool\UninstallTool.exe
          "C:\Program Files\Uninstall Tool\UninstallTool.exe" /install_service_silent
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1480
        • C:\Program Files\Uninstall Tool\UninstallTool.exe
          "C:\Program Files\Uninstall Tool\UninstallTool.exe" /init
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4240
        • C:\Program Files\Uninstall Tool\UninstallTool.exe
          "C:\Program Files\Uninstall Tool\UninstallTool.exe" /add_control_panel_icon
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4452
        • C:\Program Files\Uninstall Tool\UninstallTool.exe
          "C:\Program Files\Uninstall Tool\UninstallTool.exe" /skip_uac
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3648
        • C:\Program Files\Uninstall Tool\UninstallTool.exe
          "C:\Program Files\Uninstall Tool\UninstallTool.exe" /msix_register
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -WindowStyle hidden -c "Add-AppxPackage 'C:\Program Files\Uninstall Tool\UTShellExt2.msix' -ExternalLocation 'C:\Program Files\Uninstall Tool\'"
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
        • C:\Program Files\Uninstall Tool\UninstallTool.exe
          "C:\Program Files\Uninstall Tool\UninstallTool.exe"
          4⤵
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:724
          • C:\Program Files\Uninstall Tool\UninstallToolHelper.exe
            "C:\Program Files\Uninstall Tool\UninstallToolHelper.exe" /pid:724
            5⤵
            • Executes dropped EXE
            PID:4608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Uninstall Tool\PinToTaskbar.exe

    Filesize

    386KB

    MD5

    4de7220115fe537eaf6c5776e83f0064

    SHA1

    e81a7feab77203266a8afb379ff93025c923f28b

    SHA256

    e87288744cc29c5ab81d9c3fa78653cacd87bc74bf5a3abc4f38afcd6a1a5c16

    SHA512

    b33113314636a491c35dea215c3cd75f74797223d5b6b7ca88b790b9ddc9969c8759b61e354e753db2476dd65953664cf321940be811c6c9fc01391f0490c02f

  • C:\Program Files\Uninstall Tool\PinToTaskbarHelper.dll

    Filesize

    366KB

    MD5

    4c415adb0750fe1e1d2f52c3902274c0

    SHA1

    001fc6dc3706f1596295e4e7a4eabb5a407dab52

    SHA256

    7d0a990c0b976ff4d99abfa935eadebcece34e7d4e711ed86066ab7845d6a417

    SHA512

    aaecb72a0ec6e28336bcf5cf83d8ff0e220302c76df2715186b7fd25891662588f27215b7043613472ed747908eec9169b51c035b1e069b2c2a95c999cbf8dab

  • C:\Program Files\Uninstall Tool\UTShellExt.dll

    Filesize

    516KB

    MD5

    c836d4008d50fdbb49101eea1d49a57f

    SHA1

    ebfc097ecde12532d0ac8d76dd67df79c8007e77

    SHA256

    157b1afebd03b3325bb13bb229caebe2e3c73360250fe689af1635a670487e17

    SHA512

    eab2b799a2ac670dcce82429139ec7482c1ac9d9c2ed028f926add1c462d8347bd293f284fba3fb91a61d0c48b9a63829c895ba300d3f6ff07cfa1977ba138f3

  • C:\Program Files\Uninstall Tool\UTShellExt_x86.dll

    Filesize

    422KB

    MD5

    7460a0e0c7cd0d14649eec1688322505

    SHA1

    e7b1fc34362123f8bd95eac5996d7788e618c0da

    SHA256

    6a9e6a25e9fe6c5503dfcc606e0392f6dcbe71a1e9dec010cde7ff82b7cd52f7

    SHA512

    44e1bcac6f4cac6ca39aea60da403bd09e8eaf82e40984bb1c676828373e5af160b99aea186b71e9be69f4ecf2090de9fa5d79cf50c3c348545f25454d361e40

  • C:\Program Files\Uninstall Tool\UninstallTool.exe

    Filesize

    5.6MB

    MD5

    3314588abbe3e7e976ca664886e691b8

    SHA1

    91ab07ccf95e087c3878c3e2d93941e561ed979a

    SHA256

    6095e41aed91326a12acd02ae988711befd3e3ad2d280ca5d0c2647cb0f781f1

    SHA512

    77fbc216f0c6633f39ba6e0490358276e977e7dc981e7f164328a92f5a014d90b1aaf41819519bd3313b8ddfded4b98c069eaae15f2057e5f42d8177facc700f

  • C:\Program Files\Uninstall Tool\UninstallToolHelper.exe

    Filesize

    463KB

    MD5

    d82e0a3786dba17f88929d11d6b00b96

    SHA1

    098f9b676677dc3a30530ad5254b7fb41e1391d9

    SHA256

    ba8d7b5662f85aa901fd6bcf86fc5989013577b18c81a91bffc1211fec31d6c8

    SHA512

    4df64c5f421103fabf156342d41ff2cece82ce6b7015c454ac78680611d4ab64788c7ed50b0505edcd4cc704fdbe3c118370464c476f8047bd0e022ddbc3424d

  • C:\Program Files\Uninstall Tool\languages\English.xml

    Filesize

    40KB

    MD5

    955f262f1ab8f37793ad91945a01d01d

    SHA1

    859828af13645c29878b67f300820b4d31fac352

    SHA256

    bbd3c410b5519170b3c002e9c8c4eb3a5599439f00f5e1d3c3037a484c35c907

    SHA512

    c8e120533e41f7e02ac0368c0a06b6bfc4da2192bb2282daaba1d27a81780ae6001834fbe1333fca89da1db137941fcf6be80924359031b0ba6289b3c8cfceb1

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool on the Web.lnk

    Filesize

    651B

    MD5

    342c1625bb428a11c97ae14501f5ee7b

    SHA1

    5a3642de1164bdc141c66ba9d56ac594d267f62f

    SHA256

    becb9a8d5a5d5150550cb2461bb0429838406576e710b21dc94388c9239e7161

    SHA512

    7cd9f7069afe26b3ad864ac48c52a9547ecacf301d51961f6b2a63177dafb849c097f1600f7942499f150e91ede9c2715a77c76d4408e63587cd2eca4f770820

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Uninstall Tool\Uninstall Tool.lnk

    Filesize

    945B

    MD5

    398056af197de168302f8041ac148761

    SHA1

    8ca2d0e2c0c0e6cc1cae3de1802f354343647a2d

    SHA256

    89321a2f1068cfc3dc7f9e3d8ce3fc552ecd02cd976f04026c1801672b5ce882

    SHA512

    4256ef61b317916fcc5351e9a6612d935fe3835f35bf6c218298f0764def20daeee7b0b07277d7f33feb33f6542ecb7ca05bb1e6469787d51da7d24d971224a4

  • C:\Users\Admin\AppData\Local\Temp\CisUtMonitor.sys

    Filesize

    56KB

    MD5

    1b16fa25136adb7b3c41a3f1d474c901

    SHA1

    d6d0fc8367c3939fedc45474c37ed16b83b53f15

    SHA256

    917572f2a45f7b8312ed09d783418534e95888c10f3e0b6cf40c5df58a7c390d

    SHA512

    e67e214b87b7b5ff9a678d4ccf4c65f8f828e46969498e8163b565658baccb3d72c60c43e8b5a459ec0215e079949182c92c750484f1b3dfd0e5af21634cf236

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmysxaaq.tyj.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\is-C0L2A.tmp\uninstalltool_setup.tmp

    Filesize

    3.1MB

    MD5

    8c1451188764f81954e6d4672100433a

    SHA1

    c01d90c825b3ed029eeb45017fa37d40bd1fd32b

    SHA256

    5fe7888a8a41638e457a1d52369701f33b2084aeeb32a3c4fc996b1487a8fadd

    SHA512

    a2a4d1b8801893cb1a6820233c8b78f272869224471f72aee82b18aa1001cd3b68955121c6f38b9318c6093f0089bf6afac89979668381eaa587241af8824164

  • C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\CachedData.dat

    Filesize

    2KB

    MD5

    aadc51577335d88ce808a6eda9698834

    SHA1

    07ecb289a6a3fdb267ff98647e4868ca8ab62900

    SHA256

    bcfd650a8ec7c6da4492be7993c815675c407ec9f59a1991609713c45de88524

    SHA512

    0b54fbc26c44113e4229b1d84a3b37915c91123ad5c879b566edea3f6eee43330e901889febcd0552bccc0003a64917a03b6d6bf6c6f2bf5aa860786de6608e0

  • C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml

    Filesize

    1KB

    MD5

    23618daa6d7d186c500d713997df0031

    SHA1

    aec490f22c95101f8dc2f6c7d6c6d04bb32b966f

    SHA256

    0237bf82b7610c21bf77e99037ba18d73c9fccec531b49f08e9b821825cbfa00

    SHA512

    fc2045ae65cb289ea1a89a908f0598ba6c78279ae092e41e4966504a5aef6927ad4825d142f4a88c1c54da6f531e6ace0a9588930f037416fe154256dffedf73

  • C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\Users\Admin\AppData\Roaming\CrystalIdea Software\Uninstall Tool\preferences.xml

    Filesize

    2KB

    MD5

    f3154c236c6d83b608538be27acf0063

    SHA1

    0330d902d0c2c484e8ea12389727cf8f88e8428b

    SHA256

    33d1a491ecde710b768fc366670df967f35eeab79aded68b3313e6837e49eddd

    SHA512

    5c0605e81e73006122f4001c54d72b31c3c025ef31c1d153965e78d7f874abdd669b51f1cb8f77bbf2fb565fbd9a8210293c462dd37ac2b5bf832a106e21f91a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Uninstall Tool.lnk

    Filesize

    1KB

    MD5

    20143876b0f0048e8c104ea396980f92

    SHA1

    0cd8811215a4d6d3b860bf47b69924d0582a8b0f

    SHA256

    06c9e1fd83aa15a5df6bd0dea28d406e288038cedcd56a1444360850d144a068

    SHA512

    714b719fa5d820fb472133dc0cfb85f6b0c5fbeb0d380b38ef287b5e78dda0dbd76398aed416a48e571447245f4cb617a0f8c1c0493f84c3cf353d606f8613ac

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms

    Filesize

    5KB

    MD5

    bb844b7e95e9c2abe561213b0da05a1e

    SHA1

    854b56bbbe10387a6183430084e80934f6b2a73c

    SHA256

    8d753b234b883adeb7678d8bb637f886ba0a7c2b393b06988efd520391423e0c

    SHA512

    cb6c6b6cf71268bd4df2ab490c9177e34238d98b474fd9c90c58c2ff528558c0a0fd2eb869073af53aff2c18cb9eccd725d07d8ca72da03ca4635347c4a5cebe

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\269c0465f0b4b6ee.customDestinations-ms

    Filesize

    5KB

    MD5

    e09d7e340448e0ff92e857dbbde2e2c4

    SHA1

    3920f5e6f8bbe7d0f4927aaccaf26b35e077f989

    SHA256

    890cda88968e3d9f7740c4dd7054930718e16b31d21922ed450f9bb8fe034af5

    SHA512

    df8b2ce55cbc7b046bc5e916fcb4a43f54b53ae6a74f0a4d7fea10674a7fbde991356de6b96a52e44dc9b5ca924e4af4749c69490377b5d000ffdb3b9d4f8d1b

  • C:\Users\Admin\Desktop\Uninstall Tool.lnk

    Filesize

    927B

    MD5

    7e162008b9fe2d5de997c2571ffbcd21

    SHA1

    8bb5126a2377c3d713ca566337f65ca6eed9a08a

    SHA256

    48130b48ad2391d563e40ff31008a5a07c7ae5c7d0547655b0101608c1ca9216

    SHA512

    7f7016856171692a2b0d99fc69a8ab6329f31f7cbc19cb6506c93c7bc0ec37c2dbbb2008485aecd3651214b24908e255062b10ab5df7a86e76cbb2cbb6247522

  • memory/1568-175-0x000001F421610000-0x000001F421632000-memory.dmp

    Filesize

    136KB

  • memory/1568-184-0x000001F421A20000-0x000001F421A3C000-memory.dmp

    Filesize

    112KB

  • memory/1568-185-0x000001F421800000-0x000001F42180A000-memory.dmp

    Filesize

    40KB

  • memory/3332-234-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-247-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-271-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-272-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-273-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-274-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-270-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-269-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-221-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-222-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-223-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-226-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-225-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-224-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-227-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-228-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-232-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-231-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-230-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-229-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-233-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-267-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-235-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-236-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-237-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-238-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-239-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-241-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-242-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-240-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-243-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-244-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-248-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-268-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-246-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-245-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-250-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-249-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-252-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-251-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-253-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-254-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-255-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-258-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-256-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-257-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-259-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-260-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-262-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-264-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-261-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-263-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-265-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3332-266-0x00000000063C0000-0x00000000063D0000-memory.dmp

    Filesize

    64KB

  • memory/3636-193-0x0000000000400000-0x0000000000717000-memory.dmp

    Filesize

    3.1MB

  • memory/3636-9-0x0000000000400000-0x0000000000717000-memory.dmp

    Filesize

    3.1MB

  • memory/3636-205-0x0000000000400000-0x0000000000717000-memory.dmp

    Filesize

    3.1MB

  • memory/3636-6-0x0000000000400000-0x0000000000717000-memory.dmp

    Filesize

    3.1MB

  • memory/4608-219-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/4608-209-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/4608-301-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

  • memory/4896-0-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

  • memory/4896-8-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

  • memory/4896-206-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

  • memory/4896-2-0x0000000000401000-0x00000000004B7000-memory.dmp

    Filesize

    728KB