Overview

overview

10

Static

static

1

a7d7270cce...ea.exe

windows7-x64

10

a7d7270cce...ea.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    06-08-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a7d7270ccee9ee5ed6645fb48ba499041d9a59d25e60040f06125e727338a9ea.exe

  • Size

    16.4MB

  • MD5

    d2901c7724d3a55d168f10f21b9e7393

  • SHA1

    7a780a33918daa7989a6b33024631fe731fddd1c

  • SHA256

    a7d7270ccee9ee5ed6645fb48ba499041d9a59d25e60040f06125e727338a9ea

  • SHA512

    34faff002ea35ae1a03a05b2b8910c7b650b1de5c41171aa1e872e6009aca77896b679370146cfc2bed16778c5518276115d3e7ac44c37eba852d5cf66f9db8a

  • SSDEEP

    393216:x6uxKLdKWjA+c9xRdmrE5jnzjQxhYdBz14c4ReeZHgcRK+:Pf1Rdm45jnzUxKD16wibU+

Score
10/10
defense_evasionevasionexecutionpersistence

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 2 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 1 IoCs
  • Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

    Clear Windows Event Logs to hide the activity of an intrusion.

    defense_evasion
  • Loads dropped DLL 2 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Sets service image path in registry
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:480
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        2⤵
          PID:588
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            3⤵
              PID:1356
            • C:\Windows\system32\wbem\wmiprvse.exe
              C:\Windows\system32\wbem\wmiprvse.exe
              3⤵
                PID:784
              • C:\Windows\system32\wbem\wmiprvse.exe
                C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                3⤵
                • Checks processor information in registry
                PID:2372
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k RPCSS
              2⤵
                PID:664
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                2⤵
                • Modifies security service
                • Indicator Removal: Clear Windows Event Logs
                PID:748
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                2⤵
                  PID:804
                  • C:\Windows\system32\Dwm.exe
                    "C:\Windows\system32\Dwm.exe"
                    3⤵
                      PID:1200
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs
                    2⤵
                    • Drops file in Windows directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of UnmapMainImage
                    PID:848
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService
                    2⤵
                      PID:972
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k NetworkService
                      2⤵
                        PID:272
                      • C:\Windows\System32\spoolsv.exe
                        C:\Windows\System32\spoolsv.exe
                        2⤵
                          PID:1012
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                          2⤵
                            PID:1032
                          • C:\Windows\system32\taskhost.exe
                            "taskhost.exe"
                            2⤵
                              PID:1128
                            • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                              "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                              2⤵
                                PID:1656
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                2⤵
                                  PID:1712
                                • C:\Windows\system32\sppsvc.exe
                                  C:\Windows\system32\sppsvc.exe
                                  2⤵
                                    PID:1944
                                  • C:\ProgramData\WindowsServices\WindowsAutHost
                                    C:\ProgramData\WindowsServices\WindowsAutHost
                                    2⤵
                                    • Drops file in Drivers directory
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                    • Suspicious use of SetThreadContext
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:1724
                                    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                      3⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Drops file in System32 directory
                                      • Modifies data under HKEY_USERS
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1360
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                      3⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:1880
                                      • C:\Windows\system32\wusa.exe
                                        wusa /uninstall /kb:890830 /quiet /norestart
                                        4⤵
                                        • Drops file in Windows directory
                                        PID:2476
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop UsoSvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:1272
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:1920
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop wuauserv
                                      3⤵
                                      • Launches sc.exe
                                      PID:912
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop bits
                                      3⤵
                                      • Launches sc.exe
                                      PID:1508
                                    • C:\Windows\system32\sc.exe
                                      C:\Windows\system32\sc.exe stop dosvc
                                      3⤵
                                      • Launches sc.exe
                                      PID:1532
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1600
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2236
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1652
                                    • C:\Windows\system32\powercfg.exe
                                      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                      3⤵
                                      • Power Settings
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1608
                                    • C:\Windows\system32\dialer.exe
                                      C:\Windows\system32\dialer.exe
                                      3⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1520
                                    • C:\Windows\system32\dialer.exe
                                      C:\Windows\system32\dialer.exe
                                      3⤵
                                        PID:732
                                      • C:\Windows\system32\dialer.exe
                                        dialer.exe
                                        3⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2728
                                  • C:\Windows\system32\lsass.exe
                                    C:\Windows\system32\lsass.exe
                                    1⤵
                                      PID:488
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      1⤵
                                        PID:496
                                      • C:\Windows\Explorer.EXE
                                        C:\Windows\Explorer.EXE
                                        1⤵
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        PID:1240
                                        • C:\Users\Admin\AppData\Local\Temp\a7d7270ccee9ee5ed6645fb48ba499041d9a59d25e60040f06125e727338a9ea.exe
                                          "C:\Users\Admin\AppData\Local\Temp\a7d7270ccee9ee5ed6645fb48ba499041d9a59d25e60040f06125e727338a9ea.exe"
                                          2⤵
                                          • Drops file in Drivers directory
                                          • Drops file in System32 directory
                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                          • Suspicious use of SetThreadContext
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          PID:2708
                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Drops file in System32 directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2804
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                            3⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:2892
                                            • C:\Windows\system32\wusa.exe
                                              wusa /uninstall /kb:890830 /quiet /norestart
                                              4⤵
                                              • Drops file in Windows directory
                                              PID:1112
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop UsoSvc
                                            3⤵
                                            • Launches sc.exe
                                            PID:2756
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                            3⤵
                                            • Launches sc.exe
                                            PID:2696
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop wuauserv
                                            3⤵
                                            • Launches sc.exe
                                            PID:2520
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop bits
                                            3⤵
                                            • Launches sc.exe
                                            PID:2596
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop dosvc
                                            3⤵
                                            • Launches sc.exe
                                            PID:2480
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                            3⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2496
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                            3⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:568
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                            3⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2460
                                          • C:\Windows\system32\powercfg.exe
                                            C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                            3⤵
                                            • Power Settings
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2592
                                          • C:\Windows\system32\dialer.exe
                                            C:\Windows\system32\dialer.exe
                                            3⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • Suspicious use of WriteProcessMemory
                                            PID:2344
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe delete "WindowsAutHost"
                                            3⤵
                                            • Launches sc.exe
                                            PID:1960
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
                                            3⤵
                                            • Launches sc.exe
                                            PID:2636
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe stop eventlog
                                            3⤵
                                            • Launches sc.exe
                                            PID:2552
                                          • C:\Windows\system32\sc.exe
                                            C:\Windows\system32\sc.exe start "WindowsAutHost"
                                            3⤵
                                            • Launches sc.exe
                                            PID:2164
                                      • C:\Windows\system32\conhost.exe
                                        \??\C:\Windows\system32\conhost.exe "2086412671-93932682519795250381617604341-836305682-446585951343477001964501948"
                                        1⤵
                                          PID:1612
                                        • C:\Windows\system32\conhost.exe
                                          \??\C:\Windows\system32\conhost.exe "1212980361524276580-1795086721-430527355804235603238932031509737399-33426751"
                                          1⤵
                                            PID:2836
                                          • C:\Windows\system32\conhost.exe
                                            \??\C:\Windows\system32\conhost.exe "-1321534396-258736963919043813-2076456086-1134310314-1594297458-1824593685-758858764"
                                            1⤵
                                              PID:1152
                                            • C:\Windows\system32\conhost.exe
                                              \??\C:\Windows\system32\conhost.exe "77531754728815098621096743651142985803-19411222941059967890-976275346824508223"
                                              1⤵
                                                PID:1776
                                              • C:\Windows\system32\conhost.exe
                                                \??\C:\Windows\system32\conhost.exe "198562329-14461636581251659843-633117725-570589577-13688278051291481136-835524881"
                                                1⤵
                                                  PID:2964
                                                • C:\Windows\system32\conhost.exe
                                                  \??\C:\Windows\system32\conhost.exe "1173739002130990201616423350866772643971875208218-10667238221498357491-565953112"
                                                  1⤵
                                                    PID:2684
                                                  • C:\Windows\system32\conhost.exe
                                                    \??\C:\Windows\system32\conhost.exe "1075939201333459665164276738815627814071671225818-63675435615758125492050831661"
                                                    1⤵
                                                      PID:1092
                                                    • C:\Windows\system32\conhost.exe
                                                      \??\C:\Windows\system32\conhost.exe "-3005859681727948047-1887593936-1426107464-2015809756-15106640951368928982363848993"
                                                      1⤵
                                                        PID:616
                                                      • C:\Windows\system32\conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe "7880909081311534491-128851375511011649871965341537-9892184858473507461216553970"
                                                        1⤵
                                                          PID:1716
                                                        • C:\Windows\system32\conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe "-1453733164127877085124026576-580668282-2018734651212376877-644435916-755167083"
                                                          1⤵
                                                            PID:1332
                                                          • C:\Windows\system32\conhost.exe
                                                            \??\C:\Windows\system32\conhost.exe "-2031395253456068581-204830556-79129625011861523091241758194-10575210851934860546"
                                                            1⤵
                                                              PID:1996
                                                            • C:\Windows\system32\conhost.exe
                                                              \??\C:\Windows\system32\conhost.exe "1983679642-554048194-518147264-834545569-1312182919-5607055692371724531062707720"
                                                              1⤵
                                                                PID:1972

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Command and Scripting Interpreter

                                                              1
                                                              T1059

                                                              PowerShell

                                                              1
                                                              T1059.001

                                                              System Services

                                                              2
                                                              T1569

                                                              Service Execution

                                                              2
                                                              T1569.002

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Create or Modify System Process

                                                              3
                                                              T1543

                                                              Windows Service

                                                              3
                                                              T1543.003

                                                              Power Settings

                                                              1
                                                              T1653

                                                              Privilege Escalation

                                                              Boot or Logon Autostart Execution

                                                              1
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Create or Modify System Process

                                                              3
                                                              T1543

                                                              Windows Service

                                                              3
                                                              T1543.003

                                                              Defense Evasion

                                                              Impair Defenses

                                                              1
                                                              T1562

                                                              Indicator Removal

                                                              1
                                                              T1070

                                                              Clear Windows Event Logs

                                                              1
                                                              T1070.001

                                                              Modify Registry

                                                              2
                                                              T1112

                                                              Credential Access

                                                              Discovery

                                                              Query Registry

                                                              1
                                                              T1012

                                                              System Information Discovery

                                                              1
                                                              T1082

                                                              Lateral Movement

                                                              Collection

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Service Stop

                                                              1
                                                              T1489

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\ProgramData\WindowsServices\WindowsAutHost
                                                                Filesize

                                                                16.4MB

                                                                MD5

                                                                d2901c7724d3a55d168f10f21b9e7393

                                                                SHA1

                                                                7a780a33918daa7989a6b33024631fe731fddd1c

                                                                SHA256

                                                                a7d7270ccee9ee5ed6645fb48ba499041d9a59d25e60040f06125e727338a9ea

                                                                SHA512

                                                                34faff002ea35ae1a03a05b2b8910c7b650b1de5c41171aa1e872e6009aca77896b679370146cfc2bed16778c5518276115d3e7ac44c37eba852d5cf66f9db8a

                                                                Download Submit

                                                              • C:\Windows\system32\drivers\etc\hosts
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                f7892522ff70f44411dd60ed28638405

                                                                SHA1

                                                                ab16eb12875ff707bb10949670a2b6d6659b41c5

                                                                SHA256

                                                                32f44736ff15641ef054638c865384fcc4de2ac5bccc6bb123f19b55bd90d522

                                                                SHA512

                                                                d4e5c97a84d5202044c2c7739a6a75ab6c4ff70efaed2af4789c9fcc278ce39b064f280de93a61b638b626ab40a25b1d110253244807704601456791c1384bdc

                                                                Download Submit

                                                              • memory/424-71-0x000007FEBD760000-0x000007FEBD770000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/424-42-0x0000000000B90000-0x0000000000BB4000-memory.dmp

                                                                Filesize

                                                                144KB

                                                                Download

                                                              • memory/424-72-0x00000000373E0000-0x00000000373F0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/424-40-0x0000000000B90000-0x0000000000BB4000-memory.dmp

                                                                Filesize

                                                                144KB

                                                                Download

                                                              • memory/424-70-0x0000000000CD0000-0x0000000000CFB000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/480-74-0x00000000001A0000-0x00000000001CB000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/480-75-0x000007FEBD760000-0x000007FEBD770000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/480-76-0x00000000373E0000-0x00000000373F0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/488-78-0x0000000000080000-0x00000000000AB000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/488-79-0x000007FEBD760000-0x000007FEBD770000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/488-80-0x00000000373E0000-0x00000000373F0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/1360-355-0x000000001A080000-0x000000001A362000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/1360-356-0x00000000001A0000-0x00000000001A8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/2344-31-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/2344-34-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/2344-30-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/2344-33-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/2344-29-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/2344-37-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/2344-35-0x00000000773A0000-0x0000000077549000-memory.dmp

                                                                Filesize

                                                                1.7MB

                                                                Download

                                                              • memory/2708-0-0x000000013F763000-0x000000013FE8B000-memory.dmp

                                                                Filesize

                                                                7.2MB

                                                                Download

                                                              • memory/2708-10-0x0000000077560000-0x0000000077562000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2708-325-0x000000013F220000-0x0000000140EE4000-memory.dmp

                                                                Filesize

                                                                28.8MB

                                                                Download

                                                              • memory/2708-8-0x0000000077560000-0x0000000077562000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2708-290-0x000000013F763000-0x000000013FE8B000-memory.dmp

                                                                Filesize

                                                                7.2MB

                                                                Download

                                                              • memory/2708-3-0x0000000077550000-0x0000000077552000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2708-1-0x0000000077550000-0x0000000077552000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2708-14-0x000000013F220000-0x0000000140EE4000-memory.dmp

                                                                Filesize

                                                                28.8MB

                                                                Download

                                                              • memory/2708-12-0x000000013F220000-0x0000000140EE4000-memory.dmp

                                                                Filesize

                                                                28.8MB

                                                                Download

                                                              • memory/2708-5-0x0000000077550000-0x0000000077552000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2708-6-0x0000000077560000-0x0000000077562000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2804-25-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

                                                                Filesize

                                                                9.6MB

                                                                Download

                                                              • memory/2804-19-0x000007FEF55FE000-0x000007FEF55FF000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2804-20-0x000000001B470000-0x000000001B752000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2804-21-0x0000000002250000-0x0000000002258000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/2804-22-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

                                                                Filesize

                                                                9.6MB

                                                                Download

                                                              • memory/2804-23-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

                                                                Filesize

                                                                9.6MB

                                                                Download

                                                              • memory/2804-24-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

                                                                Filesize

                                                                9.6MB

                                                                Download

                                                              • memory/2804-26-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

                                                                Filesize

                                                                9.6MB

                                                                Download

                                                              • memory/2804-27-0x000007FEF5340000-0x000007FEF5CDD000-memory.dmp

                                                                Filesize

                                                                9.6MB

                                                                Download