a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9

Analysis

max time kernel
152s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Size

1.8MB
MD5

a9c865933b8aa2b12f65b1ee21b2e67e
SHA1

7431a1d9b783c506871ab142bec03075d81325b9
SHA256

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9
SHA512

22e23b9e591ffd2fc46d3b1548df5710c10357ddc9259ee0f6d9aa31850baa4d05229d13731226171641c495448528c02083e21056349413308ae1d5d5464bd1
SSDEEP

49152:akwkn9IMHea846H3G6PwLELhrIuXlyP9AgaPCS:JdnVmGakkrIuXlyPiPC

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

Executes dropped EXE 2 IoCs

Processes:

4140.exewaop.exe

pid process

844 4140.exe
1268 waop.exe

pid	process
844	4140.exe
1268	waop.exe

Loads dropped DLL 7 IoCs

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe4140.exewaop.exe

pid	process
1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
844	4140.exe
844	4140.exe
1268	waop.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

waop.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	waop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\Currentversion\Run	waop.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xacyh = "C:\\Users\\Admin\\AppData\\Roaming\\Yzsok\\waop.exe"	waop.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4140.exe

description pid process target process

PID 844 set thread context of 320 844 4140.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 844 set thread context of 320	844	4140.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4140.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	4140.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4140.exe

NTFS ADS 1 IoCs

Processes:

WinMail.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Local Folders\Inbox\24802CEC-00000001.eml:OECustomProperty	WinMail.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

waop.exe

pid	process
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe
1268	waop.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

4140.execmd.exeWinMail.exe

description	pid	process
Token: SeSecurityPrivilege	844	4140.exe
Token: SeSecurityPrivilege	844	4140.exe
Token: SeSecurityPrivilege	844	4140.exe
Token: SeSecurityPrivilege	844	4140.exe
Token: SeSecurityPrivilege	844	4140.exe
Token: SeSecurityPrivilege	844	4140.exe
Token: SeSecurityPrivilege	320	cmd.exe
Token: SeSecurityPrivilege	320	cmd.exe
Token: SeSecurityPrivilege	320	cmd.exe
Token: SeSecurityPrivilege	320	cmd.exe
Token: SeSecurityPrivilege	320	cmd.exe
Token: SeSecurityPrivilege	320	cmd.exe
Token: SeSecurityPrivilege	320	cmd.exe
Token: SeManageVolumePrivilege	1776	WinMail.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

WinMail.exe

pid process

1776 WinMail.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WinMail.exe

pid process

1776 WinMail.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

WinMail.exe

pid process

1776 WinMail.exe

pid	process
1776	WinMail.exe

pid	process
1776	WinMail.exe

pid	process
1776	WinMail.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe4140.exewaop.exe

description	pid	process	target process
PID 1636 wrote to memory of 844	1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe	4140.exe
PID 1636 wrote to memory of 844	1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe	4140.exe
PID 1636 wrote to memory of 844	1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe	4140.exe
PID 1636 wrote to memory of 844	1636	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe	4140.exe
PID 844 wrote to memory of 1268	844	4140.exe	waop.exe
PID 844 wrote to memory of 1268	844	4140.exe	waop.exe
PID 844 wrote to memory of 1268	844	4140.exe	waop.exe
PID 844 wrote to memory of 1268	844	4140.exe	waop.exe
PID 1268 wrote to memory of 1120	1268	waop.exe	taskhost.exe
PID 1268 wrote to memory of 1120	1268	waop.exe	taskhost.exe
PID 1268 wrote to memory of 1120	1268	waop.exe	taskhost.exe
PID 1268 wrote to memory of 1120	1268	waop.exe	taskhost.exe
PID 1268 wrote to memory of 1120	1268	waop.exe	taskhost.exe
PID 1268 wrote to memory of 1164	1268	waop.exe	Dwm.exe
PID 1268 wrote to memory of 1164	1268	waop.exe	Dwm.exe
PID 1268 wrote to memory of 1164	1268	waop.exe	Dwm.exe
PID 1268 wrote to memory of 1164	1268	waop.exe	Dwm.exe
PID 1268 wrote to memory of 1164	1268	waop.exe	Dwm.exe
PID 1268 wrote to memory of 1196	1268	waop.exe	Explorer.EXE
PID 1268 wrote to memory of 1196	1268	waop.exe	Explorer.EXE
PID 1268 wrote to memory of 1196	1268	waop.exe	Explorer.EXE
PID 1268 wrote to memory of 1196	1268	waop.exe	Explorer.EXE
PID 1268 wrote to memory of 1196	1268	waop.exe	Explorer.EXE
PID 1268 wrote to memory of 844	1268	waop.exe	4140.exe
PID 1268 wrote to memory of 844	1268	waop.exe	4140.exe
PID 1268 wrote to memory of 844	1268	waop.exe	4140.exe
PID 1268 wrote to memory of 844	1268	waop.exe	4140.exe
PID 1268 wrote to memory of 844	1268	waop.exe	4140.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 844 wrote to memory of 320	844	4140.exe	cmd.exe
PID 1268 wrote to memory of 1768	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1768	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1768	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1768	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1768	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1584	1268	waop.exe	conhost.exe
PID 1268 wrote to memory of 1584	1268	waop.exe	conhost.exe
PID 1268 wrote to memory of 1584	1268	waop.exe	conhost.exe
PID 1268 wrote to memory of 1584	1268	waop.exe	conhost.exe
PID 1268 wrote to memory of 1584	1268	waop.exe	conhost.exe
PID 1268 wrote to memory of 1776	1268	waop.exe	WinMail.exe
PID 1268 wrote to memory of 1776	1268	waop.exe	WinMail.exe
PID 1268 wrote to memory of 1776	1268	waop.exe	WinMail.exe
PID 1268 wrote to memory of 1776	1268	waop.exe	WinMail.exe
PID 1268 wrote to memory of 1776	1268	waop.exe	WinMail.exe
PID 1268 wrote to memory of 1712	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1712	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1712	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1712	1268	waop.exe	DllHost.exe
PID 1268 wrote to memory of 1712	1268	waop.exe	DllHost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe

C:\Users\Admin\AppData\Local\Temp\a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe
"C:\Users\Admin\AppData\Local\Temp\a0131ea9d81fde204643f8522e88629c0c066d3e56630febc093e36626fe8ce9.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1636

C:\Users\Admin\AppData\Local\Temp\4140\4140.exe
"C:\Users\Admin\AppData\Local\Temp\4140\4140.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Roaming\Yzsok\waop.exe
"C:\Users\Admin\AppData\Roaming\Yzsok\waop.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp31b5ad47.bat"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "525894199-8784050752104368582354203914-2135414366-482009578-1575706309406367765"
1⤵
PID:1584

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" -Embedding
1⤵
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4140\4140.exe
Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4140\4140.exe
Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31b5ad47.bat
Filesize
197B

MD5
beef34569cfd22ef37a0f4427204fc19

SHA1
e3adcbc8e4335041a202abd7f12f2024ca8f7ae9

SHA256
7a90d0de221a4c71b833829ecf180af6d33885d782f4e21aebd021cea085dab6

SHA512
bf302b9d6aaa0f3994fd54b94e5daff23edea2cb99af2002cf1bed23639c5d6fbbc790d55e859a04cc3d540d76611ea04608bcd2be76a2e5398250408f3d1ba3

Download Submit
C:\Users\Admin\AppData\Roaming\Anpud\sysog.kis
Filesize
3KB

MD5
b0327b5ab692dcb518e8ccc61ed32ef5

SHA1
d1937dcc11e02021036b7ad5989646ee86b6c78b

SHA256
daf8d64666656acc3a0198d7569fd5a3ecece11dee5ed4e68e8202707e31fc61

SHA512
85a8bcdd1f70f6ff0c1be0fe1a4f28a6de17e8539feb0a13428859948e46a13b167d4d2667157dcbc4a6c2f1585ce113d4d8998bfd5b68404df366aa539b59f1

Download Submit
C:\Users\Admin\AppData\Roaming\Yzsok\waop.exe
Filesize
221KB

MD5
0dd619c39e9d6d335cf58203920f0df3

SHA1
fc80979e4c8e6ca2be0eb32cc370e5f8e720abdb

SHA256
d0359b1b6f4cf762254e5df887b7e80cc02ad3f340a6c1293f5c7515cfd306e8

SHA512
6c37dfb2091845ae128b8bdcd36b9aafcf66988d0cbb29317f8fe784408d08de88b5a7f9460d5e7e617ed4697fca5ba30d65cc986160a747bd416916024aaec5

Download Submit
C:\Users\Admin\AppData\Roaming\Yzsok\waop.exe
Filesize
221KB

MD5
0dd619c39e9d6d335cf58203920f0df3

SHA1
fc80979e4c8e6ca2be0eb32cc370e5f8e720abdb

SHA256
d0359b1b6f4cf762254e5df887b7e80cc02ad3f340a6c1293f5c7515cfd306e8

SHA512
6c37dfb2091845ae128b8bdcd36b9aafcf66988d0cbb29317f8fe784408d08de88b5a7f9460d5e7e617ed4697fca5ba30d65cc986160a747bd416916024aaec5

Download Submit
\Users\Admin\AppData\Local\Temp\4140\4140.exe
Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
\Users\Admin\AppData\Local\Temp\4140\4140.exe
Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
\Users\Admin\AppData\Local\Temp\4140\4140.exe
Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
\Users\Admin\AppData\Local\Temp\4140\4140.exe
Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
\Users\Admin\AppData\Local\Temp\4140\4140.exe
Filesize
221KB

MD5
6ebdd2a615d1514c9fe6eb924301ffc3

SHA1
0abb35b008f89d4f37e5db1ce42dc18e212d2243

SHA256
5da7beb43ed1a185967a28a4f4b029e157eb15166b1ee3c6fdec02f7160b04da

SHA512
8186e16c07dc7fc1e585e0bfedb53df8fdfeb09481ee9699d369fb69a794d4c88df09cadacd9f6e7a607d5033ff1af3942eebc7e01954f67e47dbd911d8a10b9

Download Submit
\Users\Admin\AppData\Roaming\Yzsok\waop.exe
Filesize
221KB

MD5
0dd619c39e9d6d335cf58203920f0df3

SHA1
fc80979e4c8e6ca2be0eb32cc370e5f8e720abdb

SHA256
d0359b1b6f4cf762254e5df887b7e80cc02ad3f340a6c1293f5c7515cfd306e8

SHA512
6c37dfb2091845ae128b8bdcd36b9aafcf66988d0cbb29317f8fe784408d08de88b5a7f9460d5e7e617ed4697fca5ba30d65cc986160a747bd416916024aaec5

Download Submit
\Users\Admin\AppData\Roaming\Yzsok\waop.exe
Filesize
221KB

MD5
0dd619c39e9d6d335cf58203920f0df3

SHA1
fc80979e4c8e6ca2be0eb32cc370e5f8e720abdb

SHA256
d0359b1b6f4cf762254e5df887b7e80cc02ad3f340a6c1293f5c7515cfd306e8

SHA512
6c37dfb2091845ae128b8bdcd36b9aafcf66988d0cbb29317f8fe784408d08de88b5a7f9460d5e7e617ed4697fca5ba30d65cc986160a747bd416916024aaec5

Download Submit
memory/320-129-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-113-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-131-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-99-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-127-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-125-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-123-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-121-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-119-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-115-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-117-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-133-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-111-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-231-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-109-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-107-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-104-0x0000000000069BF5-mapping.dmp

Download
memory/320-103-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-102-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-101-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/320-270-0x0000000000050000-0x000000000008B000-memory.dmp

Filesize
236KB

Download
memory/844-91-0x0000000001BD0000-0x0000000001C0B000-memory.dmp

Filesize
236KB

Download
memory/844-95-0x0000000001BD0000-0x0000000001C0B000-memory.dmp

Filesize
236KB

Download
memory/844-94-0x0000000001BD0000-0x0000000001C0B000-memory.dmp

Filesize
236KB

Download
memory/844-93-0x0000000001BD0000-0x0000000001C0B000-memory.dmp

Filesize
236KB

Download
memory/844-92-0x0000000001BD0000-0x0000000001C0B000-memory.dmp

Filesize
236KB

Download
memory/844-105-0x0000000001BD0000-0x0000000001C0B000-memory.dmp

Filesize
236KB

Download
memory/844-59-0x0000000000000000-mapping.dmp

Download
memory/844-90-0x0000000001BD0000-0x0000000001C0B000-memory.dmp

Filesize
236KB

Download
memory/1120-72-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1120-74-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1120-71-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1120-69-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1120-73-0x0000000001DE0000-0x0000000001E1B000-memory.dmp

Filesize
236KB

Download
memory/1164-79-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1164-80-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1164-77-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1164-78-0x00000000001A0000-0x00000000001DB000-memory.dmp

Filesize
236KB

Download
memory/1196-83-0x0000000002210000-0x000000000224B000-memory.dmp

Filesize
236KB

Download
memory/1196-85-0x0000000002210000-0x000000000224B000-memory.dmp

Filesize
236KB

Download
memory/1196-84-0x0000000002210000-0x000000000224B000-memory.dmp

Filesize
236KB

Download
memory/1196-86-0x0000000002210000-0x000000000224B000-memory.dmp

Filesize
236KB

Download
memory/1268-65-0x0000000000000000-mapping.dmp

Download
memory/1636-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download