Overview

overview

10

Static

static

3

17fdb70dd6...80.exe

windows7-x64

17fdb70dd6...80.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    52s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 08:21

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80.exe

  • Size

    14.8MB

  • MD5

    3da089c1ed8bb4643f95aafea7150310

  • SHA1

    ea6376ccb7c27a5c5daee560935806370c094861

  • SHA256

    17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80

  • SHA512

    cc76b08edd17ef89d9ecf01c433070882e05b1147acf2a4e69b17997d0c026f9196b1bc6b3a6186281c7b8f0189fb9f4b54706b4ad566643f7d4da22cba94594

  • SSDEEP

    393216:h6JN7+zbZFph3fBXKfiyuoDliKXzyuMxM0XbcE:4mbZFph3NKjsqydxM0XbJ

Score
10/10
defense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Disables RegEdit via registry modification 2 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
    persistence
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 48 IoCs
  • Loads dropped DLL 48 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 8 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80.exe
    "C:\Users\Admin\AppData\Local\Temp\17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops autorun.inf file
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2400
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2052
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:1156
    • C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows /all /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Interacts with shadow copies
      PID:2280
    • C:\Windows\SysWOW64\NetSh.exe
      NetSh Advfirewall set allprofiles state off
      2⤵
      • Modifies Windows Firewall
      • Event Triggered Execution: Netsh Helper DLL
      • System Location Discovery: System Language Discovery
      PID:2292
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2644
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2676
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1088
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2004
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2028
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1492
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2868
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2856
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2232
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2376
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2964
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1772
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1576
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1392
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1608
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2528
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2132
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1592
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1620
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2820
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2260
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1284
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2760
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:112
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:860
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2020
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2684
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1812
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2716
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2092
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1996
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:600
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2340
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1356
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2224
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:912
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1800
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2156
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2096
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:856
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1608
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1632
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2860
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2300
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3036
    • C:\Windows\SysWOW64\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -r -t 00 -f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Users\Admin\AppData\Local\Temp\Payload2.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2456
    • C:\Users\Admin\AppData\Local\Temp\Payload1.exe
      "C:\Users\Admin\AppData\Local\Temp\Payload1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2676
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2908
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:3068
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1784

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Event Triggered Execution

      2
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      2
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Winlogon Helper DLL

      1
      T1547.004

      Create or Modify System Process

      2
      T1543

      Windows Service

      2
      T1543.003

      Event Triggered Execution

      2
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Direct Volume Access

      1
      T1006

      Impair Defenses

      3
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Disable or Modify Tools

      2
      T1562.001

      Indicator Removal

      2
      T1070

      File Deletion

      2
      T1070.004

      Modify Registry

      5
      T1112

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      3
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\Payload1.exe
        Filesize

        14.8MB

        MD5

        3da089c1ed8bb4643f95aafea7150310

        SHA1

        ea6376ccb7c27a5c5daee560935806370c094861

        SHA256

        17fdb70dd61b548790180b3c3431ca826d4206a7d479c3042e12032d13803e80

        SHA512

        cc76b08edd17ef89d9ecf01c433070882e05b1147acf2a4e69b17997d0c026f9196b1bc6b3a6186281c7b8f0189fb9f4b54706b4ad566643f7d4da22cba94594

        Download Submit

      • memory/112-86-0x0000000001160000-0x000000000202C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/856-106-0x0000000001080000-0x0000000001F4C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1088-26-0x0000000001210000-0x00000000020DC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1284-81-0x0000000000340000-0x000000000120C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1392-59-0x0000000000070000-0x0000000000F3C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1576-54-0x0000000000AF0000-0x00000000019BC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1592-69-0x0000000000B80000-0x0000000001A4C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1608-60-0x0000000000D00000-0x0000000001BCC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1632-107-0x0000000001390000-0x000000000225C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1772-53-0x00000000001B0000-0x000000000107C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1800-105-0x00000000008B0000-0x000000000177C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1812-96-0x0000000001290000-0x000000000215C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/1996-103-0x0000000001330000-0x00000000021FC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2004-29-0x0000000000C00000-0x0000000001ACC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2020-91-0x0000000000390000-0x000000000125C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2092-101-0x0000000001310000-0x00000000021DC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2224-104-0x00000000000B0000-0x0000000000F7C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2260-76-0x0000000001100000-0x0000000001FCC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2300-108-0x0000000000130000-0x0000000000FFC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2400-1-0x0000000000D50000-0x0000000001C1C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2400-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2400-41-0x00000000740CE000-0x00000000740CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2400-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2400-113-0x00000000740C0000-0x00000000747AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2400-45-0x00000000740C0000-0x00000000747AE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2456-111-0x0000000000190000-0x000000000105C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2528-65-0x0000000000330000-0x00000000011FC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2644-23-0x0000000000800000-0x00000000016CC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2676-22-0x00000000002B0000-0x000000000117C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2676-112-0x0000000001110000-0x0000000001FDC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2716-97-0x00000000012B0000-0x000000000217C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2800-109-0x0000000001340000-0x000000000220C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2820-74-0x0000000000ED0000-0x0000000001D9C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2856-38-0x00000000013A0000-0x000000000226C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2868-39-0x0000000001010000-0x0000000001EDC000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/2964-48-0x0000000000240000-0x000000000110C000-memory.dmp

        Filesize

        14.8MB

        Download

      • memory/3036-110-0x00000000001F0000-0x00000000010BC000-memory.dmp

        Filesize

        14.8MB

        Download