Overview

overview

10

Static

static

10

1214e5f9de...98.exe

windows7-x64

6

1214e5f9de...98.exe

windows10-2004-x64

7

236020bb91...f6.exe

windows7-x64

10

236020bb91...f6.exe

windows10-2004-x64

10

25dc70a3de...60.exe

windows7-x64

10

25dc70a3de...60.exe

windows10-2004-x64

10

54de718b63...d9.exe

windows7-x64

1

54de718b63...d9.exe

windows10-2004-x64

3

7ae9504811...a4.exe

windows7-x64

10

7ae9504811...a4.exe

windows10-2004-x64

10

9c2554e79b...a0.exe

windows7-x64

10

9c2554e79b...a0.exe

windows10-2004-x64

10

a568f22004...3b.exe

windows7-x64

10

a568f22004...3b.exe

windows10-2004-x64

8

aefd0c7794...37.exe

windows7-x64

10

aefd0c7794...37.exe

windows10-2004-x64

10

d68b4d6cec...27.exe

windows7-x64

10

d68b4d6cec...27.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe

  • Size

    206KB

  • MD5

    70c771952bc897446d3ddad90541a1e6

  • SHA1

    b00b50a893e4552651c4a5c38cf4bb9aed7a101e

  • SHA256

    aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

  • SHA512

    33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

  • SSDEEP

    3072:UVqoCl/YgjxEufVU0TbTyDDalW49D9fMiSE9CCHGOn54yWgW9tFwyMJjVQbE/FGl:UsLqdufVUNDapD9fMs9u7

Score
10/10
discoveryevasionexecutionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe
    "C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2668
    • \??\c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
      c:\users\admin\appdata\local\temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\system32\cmd.exe
        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2924
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2612
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1872
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:948
      • C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1092
        • C:\Windows\system32\cmd.exe
          "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2588
      • C:\Users\Admin\AppData\Local\Temp\Services32.exe
        "C:\Users\Admin\AppData\Local\Temp\Services32.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2596
        • \??\c:\users\admin\appdata\local\temp\services32.exe 
          c:\users\admin\appdata\local\temp\services32.exe 
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1644
          • C:\Windows\system32\cmd.exe
            "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & exit & exit
            5⤵
              PID:1684
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2988
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:304
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:1568
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious use of AdjustPrivilegeToken
                PID:2812
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM" & exit
              5⤵
                PID:2628
                • C:\Windows\system32\schtasks.exe
                  schtasks /create /f /sc onlogon /rl highest /tn "Services32" /tr '"C:\Users\Admin\AppData\Local\Temp\Services32.exe"' /RU "SYSTEM"
                  6⤵
                  • Scheduled Task/Job: Scheduled Task
                  PID:2088
            • C:\Windows\Resources\Themes\icsys.icn.exe
              C:\Windows\Resources\Themes\icsys.icn.exe
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:568
              • \??\c:\windows\resources\themes\explorer.exe
                c:\windows\resources\themes\explorer.exe
                5⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:316
        • C:\Windows\Resources\Themes\icsys.icn.exe
          C:\Windows\Resources\Themes\icsys.icn.exe
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2948
          • \??\c:\windows\resources\themes\explorer.exe
            c:\windows\resources\themes\explorer.exe
            3⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1472
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe SE
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2188
              • \??\c:\windows\resources\svchost.exe
                c:\windows\resources\svchost.exe
                5⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2648
                • \??\c:\windows\resources\spoolsv.exe
                  c:\windows\resources\spoolsv.exe PR
                  6⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2628
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:13 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2020
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:14 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1620
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 02:15 /f
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:1596
            • C:\Windows\Explorer.exe
              C:\Windows\Explorer.exe
              4⤵
                PID:1152

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Hide Artifacts

        1
        T1564

        Hidden Files and Directories

        1
        T1564.001

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        1
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Services32.exe
          Filesize

          206KB

          MD5

          70c771952bc897446d3ddad90541a1e6

          SHA1

          b00b50a893e4552651c4a5c38cf4bb9aed7a101e

          SHA256

          aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337

          SHA512

          33d402397289c1a828079dfdaaf3966c4b9720ffb070eeba0d5c23f4a3c6c448e4a3fd3cba2f82c712252ce03d726daabd2c66e97f950a122ffb3d5799bae56d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aefd0c77949ccb2192070d1fb122cad87c1fc3e3c841b1928e3763fadf286337.exe 
          Filesize

          71KB

          MD5

          5552f88a40afa2e2fef5acbd590ac812

          SHA1

          5afef5451811830c1ec3108cd7ee66a0418a6186

          SHA256

          9a05d71fc8bbbf8beaa8f993cb0d75cbab06ac4c9bf20fe843cfa034dd56a47f

          SHA512

          6de5db9d4decc44d4dba8b9097b93664d4942f9753ae6c3fd0e92496677ac93f4c37c0ceb8a07cf1b0fbe777f78eedc522b256be14e1cedfa5c3ef2da5fabbde

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OCQ0XGE4U0GAXOFME0K7.temp
          Filesize

          7KB

          MD5

          c9fc9b8ad7cbd3d6765983fed3ca979e

          SHA1

          602999306536161e23557f60fe7159c6349899af

          SHA256

          fb93d087e73a5d78dcee136c511dae3ab95455dfe975469d5a4f21960f64f7e8

          SHA512

          ab1e335c24e1f2ee34cac0009dc66ec2e913bbb4be8afb13069e50dcc7ac63a4add49ba2330b6aa0960b725c32f54af6400bd8a696a0ce10607b0dbdfea129ae

          Download Submit

        • C:\Windows\Resources\Themes\explorer.exe
          Filesize

          135KB

          MD5

          88d608afd994ac6b1ef1fb128280d62f

          SHA1

          cd820e32effa4c9cae8d1aec8c1c00b5ae316dbf

          SHA256

          fffed627f82f4009c36b0f4d277c8385bfbaac3b6c0dadca0fab55279a57d097

          SHA512

          6e5f0677c4b5c12db9b47b21f43f7600ff2502a81c0c90444d8cc595523d7616047aa90f194be9a96f4b40d9cd417265186e8d3680f016855a3ac5ef53dccf60

          Download Submit

        • \Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
          Filesize

          11KB

          MD5

          d1f4a92a1672d7d22a90e2567523d03e

          SHA1

          a1683621e2103e1df1ce22def923e4ef62ddcd11

          SHA256

          48fd7864ad054ee98f30a32006af85dce9f47cc5fccf065e7da41624cf14f94b

          SHA512

          2e6e4dd8ed996ca9c95e7bf225f5b7b567f2a99ae13f637f23b2c959857f9e5ba5833e279b901c0a215cf5692dc6f3e28c47106cd386756e51f5f6f1298f247a

          Download Submit

        • \Windows\Resources\Themes\icsys.icn.exe
          Filesize

          135KB

          MD5

          f2667d617c1c5156004ea365bc759c1c

          SHA1

          10592eb1cd290802867f1fa13470717fa5643f59

          SHA256

          e3aa603a42d20ba4f19f75839e090440cf224410b4bfd60f3aa9b95009a88792

          SHA512

          1cf3faf90dfd6a0834d4d20a825def7c259955ca9b6680fc0a4ff4584e890071655c1a3ed04785cebda52fdb1e6df5f836d4b8d3e4f6c95b5553fe30123ba803

          Download Submit

        • \Windows\Resources\spoolsv.exe
          Filesize

          135KB

          MD5

          fa5faa5ab9e8e27cbfb899a1223934c8

          SHA1

          26580034b2869e2b50c9acb39cc8d47a7a384334

          SHA256

          c85d27c446c4bf168df517ab33c403cac711611d3d3f4b3ee081e83a3e4789e0

          SHA512

          f11d0d00f1ddf585da36ee0aa96dba4184a80da77b77e62fab3527adb46afe7fd0f3bfabbd01f0d15fdeecb9515e70e61cba3c134f07db708ddbf1b8324c961b

          Download Submit

        • \Windows\Resources\svchost.exe
          Filesize

          135KB

          MD5

          bb2dfd78321279954fc9d98ca671c38b

          SHA1

          9d4e55c1813bf546dc62da1e0cc8234a79181dc8

          SHA256

          8c5d25bb1645b4fd8c33c679036ad74c78dd91695a357149387f32ae65cb3ecc

          SHA512

          45805a142618b5907b439cd8d92f2e9ffeb40821acff97be5d79d7ba2026076558b7f89b1322bc69851a355cd4f2f41e0f94e146eb32f3235732c44fe42ef25f

          Download Submit

        • memory/316-171-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/568-173-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1092-99-0x000000013FFC0000-0x000000013FFC8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1092-174-0x0000000000140000-0x0000000000146000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1472-175-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/1644-114-0x000000013F2C0000-0x000000013F2D6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1736-121-0x0000000001E80000-0x0000000001E88000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2188-75-0x0000000000460000-0x000000000047F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2188-88-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2596-172-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2612-30-0x0000000002040000-0x0000000002048000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2612-29-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2628-87-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2648-176-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2648-177-0x0000000001BA0000-0x0000000001BBF000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2668-0-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2668-90-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2808-10-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2808-41-0x000007FEF63D3000-0x000007FEF63D4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2808-91-0x0000000000760000-0x000000000076C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2808-11-0x000000013F130000-0x000000013F146000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2924-21-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2924-17-0x000000001B620000-0x000000001B902000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2924-18-0x0000000002820000-0x0000000002828000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2924-19-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2924-16-0x000007FEF30CE000-0x000007FEF30CF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2924-20-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2924-22-0x0000000002CFB000-0x0000000002D62000-memory.dmp

          Filesize

          412KB

          Download

        • memory/2924-23-0x000007FEF2E10000-0x000007FEF37AD000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2948-89-0x0000000000400000-0x000000000041F000-memory.dmp

          Filesize

          124KB

          Download

        • memory/2948-54-0x0000000001BB0000-0x0000000001BCF000-memory.dmp

          Filesize

          124KB

          Download