isrstealer | db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4

Analysis

max time kernel
158s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2022 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe
Size

703KB
MD5

19267e9740aa0b82458d47205147d260
SHA1

dfd35f3b69bbe3a9b5c4da7ecce400bddd031cea
SHA256

db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4
SHA512

2096e7a2907781990f0122ba15a6fb024c7b62656e94abd6dc2b41e33617fe393079ada21ba3f925aad2d629d2c00b22c69f9ebf27bd56b0c653e86253b9c0e4
SSDEEP

12288:Bxb7DuiQkDYtkE+18hf9h3T5KT3F+4tLLHj5F/Vd4fXVqh:ffTQkD3EkSP3AV7hdui

Score

10^/10

isrstealer aspackv2 collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/3728-156-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/3728-158-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer
behavioral2/memory/3728-188-0x0000000000400000-0x0000000000470000-memory.dmp	family_isrstealer

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/1988-185-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral2/memory/1988-187-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4068-169-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/4068-173-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/4068-179-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView
behavioral2/memory/4068-184-0x0000000000400000-0x0000000000454000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/4068-169-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/4068-173-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/4068-179-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/1988-185-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1400-186-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft
behavioral2/memory/4068-184-0x0000000000400000-0x0000000000454000-memory.dmp	Nirsoft
behavioral2/memory/1988-187-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral2/memory/1400-181-0x0000000000400000-0x0000000000426000-memory.dmp	Nirsoft

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0006000000022e13-137.dat	aspack_v212_v242

Executes dropped EXE 3 IoCs

pid	Process
4904	Patch.exe
3428	mev.exe
1316	dwm.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1988-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1988-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1400-186-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1988-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1400-181-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1400-178-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1988-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1400-172-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	mev.exe

Loads dropped DLL 5 IoCs

pid	Process
4904	Patch.exe
4904	Patch.exe
4904	Patch.exe
4904	Patch.exe
4904	Patch.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AppLaunch.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1316 set thread context of 3728	1316	dwm.exe	92
PID 3728 set thread context of 3052	3728	AppLaunch.exe	93
PID 3052 set thread context of 4068	3052	AppLaunch.exe	94
PID 3052 set thread context of 1400	3052	AppLaunch.exe	95
PID 3052 set thread context of 1988	3052	AppLaunch.exe	96

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	dwm.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	mev.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	mev.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3428	mev.exe
3428	mev.exe
3428	mev.exe
1316	dwm.exe
1316	dwm.exe
1316	dwm.exe
1400	AppLaunch.exe
1400	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	4276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4276	AUDIODG.EXE
Token: SeDebugPrivilege	3428	mev.exe
Token: SeDebugPrivilege	1316	dwm.exe
Token: SeDebugPrivilege	1400	AppLaunch.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3728	AppLaunch.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4904	4732	db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe	83
PID 4732 wrote to memory of 4904	4732	db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe	83
PID 4732 wrote to memory of 4904	4732	db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe	83
PID 4732 wrote to memory of 3428	4732	db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe	84
PID 4732 wrote to memory of 3428	4732	db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe	84
PID 4732 wrote to memory of 3428	4732	db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe	84
PID 3428 wrote to memory of 1316	3428	mev.exe	88
PID 3428 wrote to memory of 1316	3428	mev.exe	88
PID 3428 wrote to memory of 1316	3428	mev.exe	88
PID 1316 wrote to memory of 3728	1316	dwm.exe	92
PID 1316 wrote to memory of 3728	1316	dwm.exe	92
PID 1316 wrote to memory of 3728	1316	dwm.exe	92
PID 1316 wrote to memory of 3728	1316	dwm.exe	92
PID 1316 wrote to memory of 3728	1316	dwm.exe	92
PID 1316 wrote to memory of 3728	1316	dwm.exe	92
PID 1316 wrote to memory of 3728	1316	dwm.exe	92
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3728 wrote to memory of 3052	3728	AppLaunch.exe	93
PID 3052 wrote to memory of 4068	3052	AppLaunch.exe	94
PID 3052 wrote to memory of 4068	3052	AppLaunch.exe	94
PID 3052 wrote to memory of 4068	3052	AppLaunch.exe	94
PID 3052 wrote to memory of 4068	3052	AppLaunch.exe	94
PID 3052 wrote to memory of 4068	3052	AppLaunch.exe	94
PID 3052 wrote to memory of 1400	3052	AppLaunch.exe	95
PID 3052 wrote to memory of 1400	3052	AppLaunch.exe	95
PID 3052 wrote to memory of 1400	3052	AppLaunch.exe	95
PID 3052 wrote to memory of 1400	3052	AppLaunch.exe	95
PID 3052 wrote to memory of 1400	3052	AppLaunch.exe	95
PID 3052 wrote to memory of 1988	3052	AppLaunch.exe	96
PID 3052 wrote to memory of 1988	3052	AppLaunch.exe	96
PID 3052 wrote to memory of 1988	3052	AppLaunch.exe	96
PID 3052 wrote to memory of 1988	3052	AppLaunch.exe	96
PID 3052 wrote to memory of 1988	3052	AppLaunch.exe	96

C:\Users\Admin\AppData\Local\Temp\db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe
"C:\Users\Admin\AppData\Local\Temp\db84e18be1fbebc285a4c8f2f7ece79940b7a681172f6d38e382916dc33368b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\Patch.exe
  "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4904
- C:\Users\Admin\AppData\Local\Temp\mev.exe
  "C:\Users\Admin\AppData\Local\Temp\mev.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3428
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dwm.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1316
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data.dmp
        6⤵
        
        PID:4068
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data1.dmp
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe" /scomma C:\Users\Admin\AppData\Local\Temp\data2.dmp
        6⤵
        Accesses Microsoft Outlook accounts
        
        PID:1988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x424 0x4c4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64F4EA4C8142CAC73E06647D59A699D1.dll

Filesize
4KB

MD5
14dd1f05c6bd3ce4acab3ebdb9f0903b

SHA1
2dbdebf59a5bf398cb73d930e9f9796a888e93e8

SHA256
9a9296a1cc6c243e166b301346c4cd9dec45028bbc80fde3903b6c3740c6a239

SHA512
2db28bd0b610290d5b028429a19dedb1ed90a4564ead3b14d20f5677a308a1eafa1dac737cfd2b4c9b614b81e4747cde61f8cc9cba654d22ad5aff435f987155

Download Submit
C:\Users\Admin\AppData\Local\Temp\9CE5948F6F706809AD1DF3709868DF94.dll

Filesize
3KB

MD5
459ab623c4848cc699392078368ee335

SHA1
4d98cf6fc8aee72fc6d75f7e6b105ddaace84e70

SHA256
01778aa8b5c4bb01f823097544520a556d6e623c1e35ec317fd1ecb03e3b69ea

SHA512
8c166e0d558926b4c930f2c8c8a5ed6be4a36cbf42774eea2cd8bc78e5b5c5826084a54b2e786c2cd29a4827513b393245e54c6854ee4324d8c3367439e14e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C5E3399ED9A072FE864748D49BA96094.dll

Filesize
2KB

MD5
13249bc6aa781475cde4a1c90f95efd4

SHA1
0d8698befd283ca69d87ce44dad225ef792b06da

SHA256
3922a8c1b0f58b74fc3d89d7eec3fe5c5b0e8bda6b36491d2380431dd8e8284a

SHA512
aec8b793c4a1c9789af70fdaad3aa473a581585e8b76669d187cabe6c88363bacbed28200dd8f243f9dd50fc8fc27339f0e687341024d466a4d5078c28a768d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patch.exe

Filesize
182KB

MD5
afea344b7708e963375e0ce557621527

SHA1
621a08aec19504b6c5b7f17285d2a874cf56f4c8

SHA256
5741da081a96fb84bf486d61227031ceecc0995edf5c3ae67478599986abdf30

SHA512
2cf499ec941b61a42175f9c0e72e796cee06639c5146d36963582d673f0a2c81eb63d6741d9afde8678385507859140eaec16808629796823e1dce331303b7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Patch.exe

Filesize
182KB

MD5
afea344b7708e963375e0ce557621527

SHA1
621a08aec19504b6c5b7f17285d2a874cf56f4c8

SHA256
5741da081a96fb84bf486d61227031ceecc0995edf5c3ae67478599986abdf30

SHA512
2cf499ec941b61a42175f9c0e72e796cee06639c5146d36963582d673f0a2c81eb63d6741d9afde8678385507859140eaec16808629796823e1dce331303b7a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\bassmod.dll

Filesize
9KB

MD5
780d14604d49e3c634200c523def8351

SHA1
e208ef6f421d2260070a9222f1f918f1de0a8eeb

SHA256
844eb66a10b848d3a71a8c63c35f0a01550a46d2ff8503e2ca8947978b03b4d2

SHA512
a49c030f11da8f0cdc4205c86bec00653ec2f8899983cad9d7195fd23255439291aaec5a7e128e1a103efd93b8566e86f15af89eba4efebf9debce14a7a5564b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
176KB

MD5
6992610c5dfdeed28fd1b80fdbdcf80c

SHA1
88f6c8c287323563d30d437e5bea9253d12fd73b

SHA256
4ff58b1a8b8f90d3d31b1e572b2a49a43ce8468c4f65edfbcd8bed65aafde5aa

SHA512
d35984ebed9f6b924940346b7d672a77665a36a2ce895b3a4e98cd5bf5fb9ce175a6d8dbd8268bd26b58ad50230f10ac64c703928034574ee8c6501c13a34bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mev.exe

Filesize
512KB

MD5
4ba5220ffac550859114896d27ad0015

SHA1
0df2e0c3746d9a52bfdcccb8a19942b16baf0d61

SHA256
2b18ba9861f7308935287976a009000f4c1d37c86b4677f0dc5471d1a049d6d8

SHA512
f8a03d8c907c81e71d7992b1c39dfb53e623043facb312b255386b5fbee52181722a74426737f04f7e06f4327fa68a5c72bcac5906596be1c3552f8f4c6669c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mev.exe

Filesize
512KB

MD5
4ba5220ffac550859114896d27ad0015

SHA1
0df2e0c3746d9a52bfdcccb8a19942b16baf0d61

SHA256
2b18ba9861f7308935287976a009000f4c1d37c86b4677f0dc5471d1a049d6d8

SHA512
f8a03d8c907c81e71d7992b1c39dfb53e623043facb312b255386b5fbee52181722a74426737f04f7e06f4327fa68a5c72bcac5906596be1c3552f8f4c6669c4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dwm.exe

Filesize
512KB

MD5
4ba5220ffac550859114896d27ad0015

SHA1
0df2e0c3746d9a52bfdcccb8a19942b16baf0d61

SHA256
2b18ba9861f7308935287976a009000f4c1d37c86b4677f0dc5471d1a049d6d8

SHA512
f8a03d8c907c81e71d7992b1c39dfb53e623043facb312b255386b5fbee52181722a74426737f04f7e06f4327fa68a5c72bcac5906596be1c3552f8f4c6669c4

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

Filesize
392B

MD5
06829787472566cd250ecd6a8b4d8fe7

SHA1
88a70cfe294b510e8d88ecb3344adeb779963e25

SHA256
774e982353d65e9b9ca804e5e4e4c354f5774f918f389c55490326cd14f3bb2f

SHA512
93f914c2ae23982381c5c8d66415017955952afa4e61704bd63e06d772d17ce6bd217821e5f0a098cb606291ac5aeec4b286e0cfaf3863eb8555bb2bae12093b

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
392B

MD5
06829787472566cd250ecd6a8b4d8fe7

SHA1
88a70cfe294b510e8d88ecb3344adeb779963e25

SHA256
774e982353d65e9b9ca804e5e4e4c354f5774f918f389c55490326cd14f3bb2f

SHA512
93f914c2ae23982381c5c8d66415017955952afa4e61704bd63e06d772d17ce6bd217821e5f0a098cb606291ac5aeec4b286e0cfaf3863eb8555bb2bae12093b

Download Submit
memory/1316-152-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1316-153-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1316-162-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/1400-178-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1400-172-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1400-186-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1400-181-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1988-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3052-166-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3052-182-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3052-177-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3052-165-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3052-167-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/3428-149-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3428-154-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3428-147-0x0000000075160000-0x0000000075711000-memory.dmp

Filesize
5.7MB

Download
memory/3728-188-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3728-158-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3728-156-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4068-184-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4068-179-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4068-173-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4068-169-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4904-148-0x0000000074410000-0x00000000744DC000-memory.dmp

Filesize
816KB

Download
memory/4904-140-0x0000000074410000-0x00000000744DC000-memory.dmp

Filesize
816KB

Download
memory/4904-138-0x0000000074410000-0x00000000744DC000-memory.dmp

Filesize
816KB

Download
memory/4904-141-0x0000000074410000-0x00000000744DC000-memory.dmp

Filesize
816KB

Download
memory/4904-143-0x0000000074410000-0x00000000744DC000-memory.dmp

Filesize
816KB

Download