Overview

overview

10

Static

static

3

a5e089cad1...61.exe

windows7-x64

10

a5e089cad1...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    61s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-06-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a5e089cad1b30d5fde031c00eaff1684e5496d78b9566b34a824fb10046d0561.exe

  • Size

    2.2MB

  • MD5

    24ceb3e3e8099b919770ef7a9733ee20

  • SHA1

    9a94fc8a25a739ba40ffd65b6e98c8c4ee9c8d3d

  • SHA256

    a5e089cad1b30d5fde031c00eaff1684e5496d78b9566b34a824fb10046d0561

  • SHA512

    582b95772a8fe06a595e5917d9187b337c69dcfc7aa6901edb6867a5d37e29222897000c4fb9188e8655c0c31213980272a6b2c02494c0b689e7e368ae8d1429

  • SSDEEP

    49152:IBJahp5EU8m4pX0idKzvAaqqDx3cYrjcIduif5JvnIcYXZ:yU5vf43dKzvAgRB4+PYXZ

Score
10/10
execution

Malware Config

Signatures

  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Detects executables packed with unregistered version of .NET Reactor 34 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a5e089cad1b30d5fde031c00eaff1684e5496d78b9566b34a824fb10046d0561.exe
    "C:\Users\Admin\AppData\Local\Temp\a5e089cad1b30d5fde031c00eaff1684e5496d78b9566b34a824fb10046d0561.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4412
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainIntocrt\ZTOZJjGyYhRsvXcoEg5SDe.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainIntocrt\fviPjsMXEttakOzaHGgkTUNCUCeSsVVT23yG33jsUjGPToPno.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Users\Admin\AppData\Roaming\chainIntocrt\ContainercomponentFontReviewwin.exe
          "C:\Users\Admin\AppData\Roaming\chainIntocrt/ContainercomponentFontReviewwin.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1344
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\StartMenuExperienceHost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainIntocrt\ContainercomponentFontReviewwin.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2020
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kjedWF7a21.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4372
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:3128
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1576
                • C:\Users\Admin\Start Menu\StartMenuExperienceHost.exe
                  "C:\Users\Admin\Start Menu\StartMenuExperienceHost.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1764
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4408
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3972
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2016
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Start Menu\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3448
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1456
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:5008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4644
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\wininit.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2252
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ContainercomponentFontReviewwinC" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\chainIntocrt\ContainercomponentFontReviewwin.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4148
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ContainercomponentFontReviewwin" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\chainIntocrt\ContainercomponentFontReviewwin.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "ContainercomponentFontReviewwinC" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\chainIntocrt\ContainercomponentFontReviewwin.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3212

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d42b6da621e8df5674e26b799c8e2aa

        SHA1

        ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

        SHA256

        5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

        SHA512

        53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        77d622bb1a5b250869a3238b9bc1402b

        SHA1

        d47f4003c2554b9dfc4c16f22460b331886b191b

        SHA256

        f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

        SHA512

        d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zldcfv3i.5v1.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\kjedWF7a21.bat
        Filesize

        229B

        MD5

        c0a092c0db805168468df646f46d6062

        SHA1

        9344046e7a848be893e918b7e0ab25ff397b4a72

        SHA256

        71db61f92b8c673db5f0694a9238319229149b2216f906020436e154c30efc19

        SHA512

        9208b6e78914b50a790fcd00f353468d247ced0a4dedd821c02ec4d95610272b409136a1f7597a3d9a83a1363036803a7761bc97c833855166308f033895609a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\chainIntocrt\ContainercomponentFontReviewwin.exe
        Filesize

        1.9MB

        MD5

        84effadc40f38da6129c35531e325a3b

        SHA1

        8e9b7c31f1dcd4e76b67ffd63054b1338b03ce93

        SHA256

        755e2a148f781d4d15ae10eff4abdcacb1ed237747f1149e83053bb871097870

        SHA512

        7a54908eb0796335b6824710cac34cb555ac4d0f9fd992c3607acdb29e4d7884dfc47786167dc9c1cff3bb85717463a2757077e885a0dd6876d766bb82b2747c

        Download Submit

      • C:\Users\Admin\AppData\Roaming\chainIntocrt\ZTOZJjGyYhRsvXcoEg5SDe.vbe
        Filesize

        247B

        MD5

        5a6caabc575dc70295203f0a0a0ecb5e

        SHA1

        21790b832512be87fd378dbab8ef41637f17c7a4

        SHA256

        6db8942552a0c8ce4821b75c886f075ca416a8089d7bccf33be5db19e3851ac3

        SHA512

        06c79570bead1142df941447ec9ec0f1aa57fcf677f3b09c341b67e0a4d61428f6d0bbf3a190296094df60f7caba9322e89064ee3c5999d370ef4c9384b64cad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\chainIntocrt\fviPjsMXEttakOzaHGgkTUNCUCeSsVVT23yG33jsUjGPToPno.bat
        Filesize

        122B

        MD5

        2ae28ed54f754800afd1bbd2cd983c9e

        SHA1

        7eb34d09679c9254313359f05b56f6cb7a6154b8

        SHA256

        617f1623a16228a5e821d1dfadf2e12037b583ac3ca78e004bdb6e2b2def493c

        SHA512

        523fa82e1ec168753e914fe50d1473c644ffb1c063983272d2d75992f5292c08223aace86d778e580eb26ba2114e2773f0f58d39ce12af381eabfd63a454ebab

        Download Submit

      • memory/1344-3608-0x00000135DD4F0000-0x00000135DD512000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3556-52-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-38-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-50-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-64-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-78-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-76-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-74-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-72-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-70-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-68-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-66-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-62-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-60-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-58-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-56-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-54-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-15-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-48-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-44-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-42-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-40-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-32-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-36-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-34-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-30-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-28-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-26-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-24-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-22-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-20-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-18-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-16-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-46-0x000000001B630000-0x000000001B86B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-3572-0x0000000001100000-0x000000000110E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3556-3574-0x0000000002940000-0x0000000002950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3556-3576-0x0000000002970000-0x0000000002982000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3556-3578-0x0000000002A10000-0x0000000002A6A000-memory.dmp

        Filesize

        360KB

        Download

      • memory/3556-14-0x000000001B630000-0x000000001B870000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/3556-13-0x0000000000930000-0x0000000000938000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3556-12-0x00007FFEE9913000-0x00007FFEE9915000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3556-3580-0x0000000002950000-0x0000000002960000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3556-3582-0x0000000002960000-0x000000000296E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3556-3584-0x0000000002990000-0x0000000002998000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3556-3586-0x00000000029B0000-0x00000000029BC000-memory.dmp

        Filesize

        48KB

        Download