Overview

overview

8

Static

static

3

0e12bdd2a8...fe.exe

windows7-x64

7

0e12bdd2a8...fe.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 11:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e12bdd2a8200d4c1f368750e2c87bfe.exe

  • Size

    36.5MB

  • MD5

    0e12bdd2a8200d4c1f368750e2c87bfe

  • SHA1

    6c8b533e2c7f6ebef027971c3a06f4c55ed64cfe

  • SHA256

    af77c0b6a10ac159b0e3c87c02e16a2b44daab8e67fe097327e90ae48f814403

  • SHA512

    909f15876f3a6cbe608eb53df4286927b013c45ff6acbc496a1590b9cc3fe47b1bb449ed45c3302f6d03cccb876cd2cc26f2b5e7c1ca4ff2d17dd4dee77bf75b

  • SSDEEP

    393216:sYJEy4Te0rrigZ9BCbZPBKAgKBXSTzdOskYXXDeycerzHP+THt+/nDSpQg:sYJcrlZ9BGfg8XIJOkXXPCTV

Score
8/10
executionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Executes dropped EXE 3 IoCs
  • Power Settings 1 TTPs 5 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 15 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e12bdd2a8200d4c1f368750e2c87bfe.exe
    "C:\Users\Admin\AppData\Local\Temp\0e12bdd2a8200d4c1f368750e2c87bfe.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\0e12bdd2a8200d4c1f368750e2c87bfe-10c703c847d58adc\0e12bdd2a8200d4c1f368750e2c87bfe.exe
      "C:\Users\Admin\AppData\Local\Temp\0e12bdd2a8200d4c1f368750e2c87bfe-10c703c847d58adc\0e12bdd2a8200d4c1f368750e2c87bfe.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\system32\winsvc.exe
        "C:\Windows\system32\winsvc.exe" "C:\Users\Admin\AppData\Local\Temp\0e12bdd2a8200d4c1f368750e2c87bfe-10c703c847d58adc\0e12bdd2a8200d4c1f368750e2c87bfe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4296
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "create" "winsvc" "type=own" "start=auto" "error=ignore" "binPath=\"C:\Windows\system32\winsvc.exe\"" "DisplayName=\"Windows System Service\""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:968
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" create winsvc type=own start=auto error=ignore binPath=C:\Windows\system32\winsvc.exe "DisplayName=Windows System Service"
            5⤵
            • Launches sc.exe
            PID:4496
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "failure" "winsvc" "reset=0" "actions=restart/0/restart/0/restart/0"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4032
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" failure winsvc reset=0 actions=restart/0/restart/0/restart/0
            5⤵
            • Launches sc.exe
            PID:4160
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "description" "winsvc" "\"Windows System Service is the main system supervision service.\""
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:60
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" description winsvc "Windows System Service is the main system supervision service."
            5⤵
            • Launches sc.exe
            PID:1748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "\"C:\Windows\system32\sc.exe\"" "start" "winsvc"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1524
          • C:\Windows\system32\sc.exe
            "C:\Windows\system32\sc.exe" start winsvc
            5⤵
            • Launches sc.exe
            PID:4108
  • C:\Windows\system32\winsvc.exe
    C:\Windows\system32\winsvc.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\system32\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2336
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Add-MpPreference" "-ExclusionPath" "\"C:\Windows\Temp\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-SETACTIVE" "8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -SETACTIVE 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-ac" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change standby-timeout-ac 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:3920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "standby-timeout-dc" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change standby-timeout-dc 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-ac" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-ac 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "&" "powercfg.exe" "-change" "hibernate-timeout-dc" "0"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\system32\powercfg.exe
        "C:\Windows\system32\powercfg.exe" -change hibernate-timeout-dc 0
        3⤵
        • Power Settings
        • Suspicious use of AdjustPrivilegeToken
        PID:4372
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "winnet.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "winnet.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "wincfg.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5052
    • C:\Windows\system32\taskkill.exe
      "taskkill.exe" "/F" "/IM" "wincfg.exe"
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "Remove-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\""
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" "-WindowStyle" "Hidden" "-Command" "New-NetFirewallRule" "-DisplayName" "\"Windows Network Manager\"" "-Program" "\"C:\Windows\system32\winnet.exe\"" "-Action" "Allow" "-Direction" "Inbound" "-EdgeTraversalPolicy" "Allow" "-Enabled" "True"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3228
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3528

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      5caad758326454b5788ec35315c4c304

      SHA1

      3aef8dba8042662a7fcf97e51047dc636b4d4724

      SHA256

      83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

      SHA512

      4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\0e12bdd2a8200d4c1f368750e2c87bfe-10c703c847d58adc\0e12bdd2a8200d4c1f368750e2c87bfe.exe
      Filesize

      41.6MB

      MD5

      312c3e03890f7d5242fe2158acabd4e8

      SHA1

      d148cf18f876b55c03f2718bfff321b7d6287f87

      SHA256

      6ac290f077cd4228dff7dc37a4c37e0a675207ad345543e8cd01008ce67ea751

      SHA512

      da0e5c199a7ab586a17dd7b74cc4b6727ac5c9efcb3397b45f8806a6418c20bfc7515804ca10e2a9c52b207b56f3a56c86e3c3be646ffe27f988c59b0bc66971

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eopedkby.10g.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      4KB

      MD5

      bdb25c22d14ec917e30faf353826c5de

      SHA1

      6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

      SHA256

      e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

      SHA512

      b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      b42c70c1dbf0d1d477ec86902db9e986

      SHA1

      1d1c0a670748b3d10bee8272e5d67a4fabefd31f

      SHA256

      8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

      SHA512

      57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      52467919d13a657591f7d494b3f88d4b

      SHA1

      9fe70282b01ea795c051cc822cf5b67e5fd0818c

      SHA256

      0d9767fdcbb169d55490f7104babbd464e4e4b463ef2f5b17e09ebe17c625729

      SHA512

      6699f5c37b617aa7cdc51d58823f9477369c1ca72a4ea0f73a8a0e03174f29d2712e590afc9a940fbcd269cd56803ebc14b44fdab6e9a590e3a187fb4b6f90ef

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      1957706cb6e108a7fe16f819a3a32fd7

      SHA1

      0907c394de02c48f9586ac1cdbce45790925f3d7

      SHA256

      4942e85977632714e3a120e8e172125a3231d8fd39ad59fe3877d0d8a6381b57

      SHA512

      bb71f2a02a4d3b3397ee58508ff1ecda3cb1c53abc43d4038249381edba8f75dd9387b79e1ce28dd25c2749ddbf1a6eaafe30f97b936e52f910628db62a3e286

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      8857491a4a65a9a1d560c4705786a312

      SHA1

      4f3caf2ad5d66a2410c9cca0381d26a46e832cb4

      SHA256

      b6e1a16a11075cb4e0bae0cebdb6ac15f5d66e0005f557703708a04cd11bd360

      SHA512

      d9497c47898cdc4c4fc62158830dc931990e08bb4a28a5d19d4187a87a2afab8a4bd58ca346563210b476c9adb9a714bfe1057e0ebce85d1fd94731be6d02660

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3b8ef11aff69e43d47f234d5ee0a72b3

      SHA1

      3869fe51c123c88c1be43b11044b580097466f26

      SHA256

      0025a82d5c9ef9b1786333fb007e72601dfbf9340d75230f8a3e687e6a107889

      SHA512

      b46facc11d98c50dacbbd9f36d4715402356d95eed1c073615fcd680bfb142b39830311915fba16a7d8ec0e71640c5d4e9f78930916b8f6432a0f0c203f6fc2b

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      84eb732e0fe61632e190d38677e634ee

      SHA1

      add2238375a1dcf79f377f40e5537699ec14ed2a

      SHA256

      1d6d60dcfd25039d047a74208f7be6e2e04174a2e4be210dddb745e177a0a73e

      SHA512

      8e586d3d12a4273a0d231a86a72f715c146f3e07fff2e2fe618f3ec2127dfd8f78ad57086c553d4e0410580e29eff93f7d5d1e875a1926ac6529322cb9e7f263

      Download Submit
    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      9470c67aacec6d9649fa3ce921d24709

      SHA1

      1a9a278b572255ea54be243c6db4069fa0a366bf

      SHA256

      aa743b4c0dee6af4988b8efb050a45d19e5854ac449b64b9259bcb62902e720e

      SHA512

      5ee5d7517c5a4ab5979153cd17f4f8cd1f277635dc77f7e32da524d22efa9cbe47b8dba4f198c53c056ea8f1be3d50f97ea99b8888459adc59e558d74257699d

      Download Submit
    • memory/968-19-0x0000021C40FB0000-0x0000021C40FD2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1480-214-0x000001EDA2320000-0x000001EDA23D5000-memory.dmp
      Filesize

      724KB

      Download
    • memory/1480-215-0x000001EDA2520000-0x000001EDA252E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1480-216-0x000001EDA2580000-0x000001EDA259A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1944-69-0x00007FF738EB0000-0x00007FF738EC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1944-68-0x00007FF738EA0000-0x00007FF738EB0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2336-100-0x000002341E4C0000-0x000002341E4CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2336-99-0x000002341E4B0000-0x000002341E4B6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/2336-98-0x000002341E480000-0x000002341E488000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2336-97-0x000002341E4D0000-0x000002341E4EA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/2336-96-0x000002341E470000-0x000002341E47A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2336-95-0x000002341E490000-0x000002341E4AC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/2336-94-0x000002341E240000-0x000002341E24A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2336-93-0x000002341E270000-0x000002341E325000-memory.dmp
      Filesize

      724KB

      Download
    • memory/2336-92-0x000002341E250000-0x000002341E26C000-memory.dmp
      Filesize

      112KB

      Download