893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894

Analysis

max time kernel
151s
max time network
76s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
Size

294KB
MD5

0e589dc718978b73ed7f0254e4e3a9af
SHA1

374bec41a2013ecaa7a42a17df32d08a846818f7
SHA256

893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894
SHA512

9477c4bad8e2e7c38c0199f8051f27fed1b570936268086603b3022dc6105ff2918dee744853ef57da230b9620cc12cb0ebfbae26b332c3eae665b9d060ca7eb
SSDEEP

6144:KWrbUaaWGp3Bua8w3tkRfFFvW72dqeDG2omltDd0+MhoMnXCGGjGGtGGxGgG0GyE:Kc4aaNitwdAfFF9gPaFMuMnXji6

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1284	popape.exe
792	popape.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
648	netsh.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1080-64-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/files/0x00090000000126f1-69.dat	upx
behavioral1/files/0x00090000000126f1-70.dat	upx
behavioral1/files/0x00090000000126f1-72.dat	upx
behavioral1/memory/1284-78-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/files/0x00090000000126f1-80.dat	upx
behavioral1/memory/1284-90-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral1/files/0x00090000000126f1-88.dat	upx

Deletes itself 1 IoCs

pid	Process
1068	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\Currentversion\Run	popape.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\{BDC9FABF-D5B4-BD80-EA57-80052F78FDF1} = "C:\\Users\\Admin\\AppData\\Roaming\\Ofiw\\popape.exe"	popape.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1284 set thread context of 792	1284	popape.exe	33

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	cmd.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe
792	popape.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
Token: SeSecurityPrivilege	1764	cmd.exe
Token: SeSecurityPrivilege	1764	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
1284	popape.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 1080 wrote to memory of 2016	1080	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	28
PID 2016 wrote to memory of 1764	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	29
PID 2016 wrote to memory of 1764	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	29
PID 2016 wrote to memory of 1764	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	29
PID 2016 wrote to memory of 1764	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	29
PID 2016 wrote to memory of 1284	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	31
PID 2016 wrote to memory of 1284	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	31
PID 2016 wrote to memory of 1284	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	31
PID 2016 wrote to memory of 1284	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	31
PID 1764 wrote to memory of 648	1764	cmd.exe	32
PID 1764 wrote to memory of 648	1764	cmd.exe	32
PID 1764 wrote to memory of 648	1764	cmd.exe	32
PID 1764 wrote to memory of 648	1764	cmd.exe	32
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 1284 wrote to memory of 792	1284	popape.exe	33
PID 2016 wrote to memory of 1068	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	34
PID 2016 wrote to memory of 1068	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	34
PID 2016 wrote to memory of 1068	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	34
PID 2016 wrote to memory of 1068	2016	893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe	34
PID 792 wrote to memory of 1108	792	popape.exe	12
PID 792 wrote to memory of 1108	792	popape.exe	12
PID 792 wrote to memory of 1108	792	popape.exe	12
PID 792 wrote to memory of 1108	792	popape.exe	12
PID 792 wrote to memory of 1108	792	popape.exe	12
PID 792 wrote to memory of 1176	792	popape.exe	17
PID 792 wrote to memory of 1176	792	popape.exe	17
PID 792 wrote to memory of 1176	792	popape.exe	17
PID 792 wrote to memory of 1176	792	popape.exe	17
PID 792 wrote to memory of 1176	792	popape.exe	17
PID 792 wrote to memory of 1208	792	popape.exe	13
PID 792 wrote to memory of 1208	792	popape.exe	13
PID 792 wrote to memory of 1208	792	popape.exe	13
PID 792 wrote to memory of 1208	792	popape.exe	13
PID 792 wrote to memory of 1208	792	popape.exe	13
PID 792 wrote to memory of 1764	792	popape.exe	29
PID 792 wrote to memory of 1764	792	popape.exe	29
PID 792 wrote to memory of 1764	792	popape.exe	29
PID 792 wrote to memory of 1764	792	popape.exe	29
PID 792 wrote to memory of 1764	792	popape.exe	29
PID 792 wrote to memory of 1332	792	popape.exe	30
PID 792 wrote to memory of 920	792	popape.exe	36
PID 792 wrote to memory of 920	792	popape.exe	36
PID 792 wrote to memory of 920	792	popape.exe	36
PID 792 wrote to memory of 920	792	popape.exe	36
PID 792 wrote to memory of 920	792	popape.exe	36
PID 792 wrote to memory of 976	792	popape.exe	37
PID 792 wrote to memory of 976	792	popape.exe	37
PID 792 wrote to memory of 976	792	popape.exe	37
PID 792 wrote to memory of 976	792	popape.exe	37

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
  "C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe
    "C:\Users\Admin\AppData\Local\Temp\893e59d63fa9947838bae5fdf6ff0cdebc5ebe81d1ffd82d543a8c4daf9ab894.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp1192a8d1.bat"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1764
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="explore" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe"
        5⤵
        Modifies Windows Firewall
        
        PID:648
  - - C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe
      "C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1284
    - - C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe
        
        "C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpbdd0ebb2.bat"
      4⤵
      Deletes itself
      PID:1068

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "64815536018511615631601746720-725023822-1680241175-5817075811272712896425491106"
1⤵
PID:1332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1192a8d1.bat

Filesize
200B

MD5
4fb1e09af2d8529fffe6a5b7a0fe49e1

SHA1
fd386fd4c91a76a22531ab1439a00490a3aed810

SHA256
67352c75dc6bddbe4389befd7b7e7cd22e65b64f5579cfefe32289801d4533b0

SHA512
76eeab051a74439a96448dfe7bff1765f7d80baa145d624864e40f249100bb6ae4c778a8baf406baee9b06ffdb3aa478b60586db10c4ec2bff3a5c6beadeffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpbdd0ebb2.bat

Filesize
307B

MD5
96e96d75f16616d617b4223f5c748018

SHA1
6d5ace5891df698e6722024a4ab6ce8bc5f077c9

SHA256
f3f8a37fcd31dac466c1577d8f884edc692b2123caa8ed8caf4c24b8b58ef705

SHA512
e8e8fd86da7aab329cbc35b01f303989182e5ba69e094e6481ca2abddd28ed6f90b479ea43ee28c58b695962ca6ef9f8578d62e40e0d2e76c72e17d02033dc6d

Download Submit
C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe

Filesize
294KB

MD5
8cca819ab54084c0144da5cf3dc57fa5

SHA1
ac29e560700d85998917b85091cca95a34bd9a16

SHA256
3fca93cf289cf96683aeb2d0ebad1f22b6e6881f45284c6e768ac5122820bd2c

SHA512
6bff79dfe48ce4dae3c6e168cadf093015befdb83f4b0348b1b69be672e5322b1b5d8cc34d2a673e09d8321e52cd082850f822c5423ea679dbf5f7a389ffd833

Download Submit
C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe

Filesize
294KB

MD5
8cca819ab54084c0144da5cf3dc57fa5

SHA1
ac29e560700d85998917b85091cca95a34bd9a16

SHA256
3fca93cf289cf96683aeb2d0ebad1f22b6e6881f45284c6e768ac5122820bd2c

SHA512
6bff79dfe48ce4dae3c6e168cadf093015befdb83f4b0348b1b69be672e5322b1b5d8cc34d2a673e09d8321e52cd082850f822c5423ea679dbf5f7a389ffd833

Download Submit
C:\Users\Admin\AppData\Roaming\Ofiw\popape.exe

Filesize
294KB

MD5
8cca819ab54084c0144da5cf3dc57fa5

SHA1
ac29e560700d85998917b85091cca95a34bd9a16

SHA256
3fca93cf289cf96683aeb2d0ebad1f22b6e6881f45284c6e768ac5122820bd2c

SHA512
6bff79dfe48ce4dae3c6e168cadf093015befdb83f4b0348b1b69be672e5322b1b5d8cc34d2a673e09d8321e52cd082850f822c5423ea679dbf5f7a389ffd833

Download Submit
C:\Users\Admin\AppData\Roaming\Ugin\onquigz.eni

Filesize
323B

MD5
27e003c95290bb0bd67360725629da7d

SHA1
638b9613db81464c838ed6f82244b6be2ef3eb64

SHA256
57ea30088ae66c1c5364aa72666ce75f9dfdf42fa9564c6e4722b740685d4984

SHA512
96d8a0b005806ed99e47ff4411dc7ffdd56e92a28463f550fa98871afb2447c45eaab2ad9af8fceb93dbd050e8598e17ec03b5e93653a3e0d29d8d9c74e6b5b9

Download Submit
\Users\Admin\AppData\Roaming\Ofiw\popape.exe

Filesize
294KB

MD5
8cca819ab54084c0144da5cf3dc57fa5

SHA1
ac29e560700d85998917b85091cca95a34bd9a16

SHA256
3fca93cf289cf96683aeb2d0ebad1f22b6e6881f45284c6e768ac5122820bd2c

SHA512
6bff79dfe48ce4dae3c6e168cadf093015befdb83f4b0348b1b69be672e5322b1b5d8cc34d2a673e09d8321e52cd082850f822c5423ea679dbf5f7a389ffd833

Download Submit
\Users\Admin\AppData\Roaming\Ofiw\popape.exe

Filesize
294KB

MD5
8cca819ab54084c0144da5cf3dc57fa5

SHA1
ac29e560700d85998917b85091cca95a34bd9a16

SHA256
3fca93cf289cf96683aeb2d0ebad1f22b6e6881f45284c6e768ac5122820bd2c

SHA512
6bff79dfe48ce4dae3c6e168cadf093015befdb83f4b0348b1b69be672e5322b1b5d8cc34d2a673e09d8321e52cd082850f822c5423ea679dbf5f7a389ffd833

Download Submit
memory/792-121-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/792-130-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/920-126-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download
memory/920-127-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download
memory/920-128-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download
memory/920-129-0x00000000027F0000-0x0000000002817000-memory.dmp

Filesize
156KB

Download
memory/976-135-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/976-136-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/976-134-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/976-133-0x0000000001C60000-0x0000000001C87000-memory.dmp

Filesize
156KB

Download
memory/1080-64-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1108-97-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-93-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-99-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-96-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1108-98-0x0000000001CC0000-0x0000000001CE7000-memory.dmp

Filesize
156KB

Download
memory/1176-104-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1176-103-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1176-102-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1176-106-0x00000000019C0000-0x00000000019E7000-memory.dmp

Filesize
156KB

Download
memory/1208-109-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1208-111-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1208-110-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1208-112-0x0000000002B70000-0x0000000002B97000-memory.dmp

Filesize
156KB

Download
memory/1284-90-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1284-78-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1764-120-0x0000000000590000-0x00000000005AB000-memory.dmp

Filesize
108KB

Download
memory/1764-115-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/1764-117-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/1764-116-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/1764-118-0x0000000000590000-0x00000000005B7000-memory.dmp

Filesize
156KB

Download
memory/2004-142-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/2004-141-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/2004-140-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/2004-139-0x0000000000110000-0x0000000000137000-memory.dmp

Filesize
156KB

Download
memory/2016-62-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2016-77-0x0000000002590000-0x00000000025FE000-memory.dmp

Filesize
440KB

Download
memory/2016-65-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2016-66-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2016-59-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2016-67-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2016-60-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2016-57-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2016-56-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2016-95-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download