470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64

Analysis

max time kernel
148s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
18-04-2023 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe
Size

1.1MB
MD5

ed75d76599a28ea3a9213890bb534541
SHA1

9a9226447dc77c2fe52f9e50a80f460e4aa70fa7
SHA256

470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64
SHA512

61ff1bd345f89b766bd03111df410ecc0195e6811ce1e2b72b5b4c68801daa3635647588747d392174806079d5cfc594f7bebd8e930c28455639722e7c3e815e
SSDEEP

12288:ly90jbtVZiWhrNmwr9YtiN5FOE0R85qjICReSXuQ34SF3KA8hfroioskUibKWTcx:lyKtVdhpZucN5uT33pFa/TXkZcftf

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr387873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr387873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr387873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr387873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr387873.exe

Executes dropped EXE 6 IoCs

pid	Process
4052	un723814.exe
4200	un662067.exe
1436	pr387873.exe
4968	qu683136.exe
1096	rk318175.exe
4880	si812436.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr387873.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr387873.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un662067.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un723814.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un723814.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un662067.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3296	4880	WerFault.exe	72
4308	4880	WerFault.exe	72
4292	4880	WerFault.exe	72
4280	4880	WerFault.exe	72
4980	4880	WerFault.exe	72
4996	4880	WerFault.exe	72
4204	4880	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1436	pr387873.exe
1436	pr387873.exe
4968	qu683136.exe
4968	qu683136.exe
1096	rk318175.exe
1096	rk318175.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	pr387873.exe
Token: SeDebugPrivilege	4968	qu683136.exe
Token: SeDebugPrivilege	1096	rk318175.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 4052	3452	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe	66
PID 3452 wrote to memory of 4052	3452	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe	66
PID 3452 wrote to memory of 4052	3452	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe	66
PID 4052 wrote to memory of 4200	4052	un723814.exe	67
PID 4052 wrote to memory of 4200	4052	un723814.exe	67
PID 4052 wrote to memory of 4200	4052	un723814.exe	67
PID 4200 wrote to memory of 1436	4200	un662067.exe	68
PID 4200 wrote to memory of 1436	4200	un662067.exe	68
PID 4200 wrote to memory of 1436	4200	un662067.exe	68
PID 4200 wrote to memory of 4968	4200	un662067.exe	69
PID 4200 wrote to memory of 4968	4200	un662067.exe	69
PID 4200 wrote to memory of 4968	4200	un662067.exe	69
PID 4052 wrote to memory of 1096	4052	un723814.exe	71
PID 4052 wrote to memory of 1096	4052	un723814.exe	71
PID 4052 wrote to memory of 1096	4052	un723814.exe	71
PID 3452 wrote to memory of 4880	3452	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe	72
PID 3452 wrote to memory of 4880	3452	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe	72
PID 3452 wrote to memory of 4880	3452	470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe	72

C:\Users\Admin\AppData\Local\Temp\470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe
"C:\Users\Admin\AppData\Local\Temp\470cbacf96a02b92452bfdd28ff3bc30fd856a08b4c63e4dea23b8d040d86a64.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723814.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723814.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un662067.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un662067.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr387873.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr387873.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu683136.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu683136.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk318175.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk318175.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si812436.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si812436.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 616
    3⤵
    - Program crash
    PID:3296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 700
    3⤵
    - Program crash
    PID:4308
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 836
    3⤵
    - Program crash
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 684
    3⤵
    - Program crash
    PID:4280
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 872
    3⤵
    - Program crash
    PID:4980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 676
    3⤵
    - Program crash
    PID:4996
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 1068
    3⤵
    - Program crash
    PID:4204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si812436.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si812436.exe

Filesize
382KB

MD5
68fef23b69b71a8eea7e7fdc11d859ec

SHA1
03c5d3ce3c6a7c87d490deaac0cef3229430b818

SHA256
efccc1f4d10fc8260295ab2593396cdd1ddaf3a90254d94107e4fe8c90c6f2c6

SHA512
46196397db247e461a7fe7e61a97f0c5c18d38bc473e5ee68208a08286e0fcd934a147537a80e4602b793d5c5c9d3424b73b5e45202ec7c0d682798bf9584893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723814.exe

Filesize
762KB

MD5
400a9cfa6437409a72914dcaba9399d5

SHA1
6549ca9f187f34b808bca743deff64936c22f01c

SHA256
cd710bc2261e730ba4cbce96f077d4b05b51550f7cd29f12277d61e7765a5583

SHA512
afd116486274a1a4c57ae5aeed82fddd6161e3013cdca0a790e85c795eee11c22abac4770cccacc3d2de5c0189fd9a9635d7cd8895343f6626bc51756a61e659

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723814.exe

Filesize
762KB

MD5
400a9cfa6437409a72914dcaba9399d5

SHA1
6549ca9f187f34b808bca743deff64936c22f01c

SHA256
cd710bc2261e730ba4cbce96f077d4b05b51550f7cd29f12277d61e7765a5583

SHA512
afd116486274a1a4c57ae5aeed82fddd6161e3013cdca0a790e85c795eee11c22abac4770cccacc3d2de5c0189fd9a9635d7cd8895343f6626bc51756a61e659

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk318175.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk318175.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un662067.exe

Filesize
608KB

MD5
1f293af9ba674981a5b0f75744532608

SHA1
e6569726d4bd9fc6f277572b8671760657681fb9

SHA256
08d9337ceefa0b9793af3da82f3d7d7baf382ab63a66f0f098e6989a12539c0b

SHA512
1d47eedd299512eb881336991b4f84baa5d00d75fd81ebcbec9153ac1c56f780bb74a4f47610ae77b55cbf34de429404995f76d18161a7397ee76ca47327cc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un662067.exe

Filesize
608KB

MD5
1f293af9ba674981a5b0f75744532608

SHA1
e6569726d4bd9fc6f277572b8671760657681fb9

SHA256
08d9337ceefa0b9793af3da82f3d7d7baf382ab63a66f0f098e6989a12539c0b

SHA512
1d47eedd299512eb881336991b4f84baa5d00d75fd81ebcbec9153ac1c56f780bb74a4f47610ae77b55cbf34de429404995f76d18161a7397ee76ca47327cc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr387873.exe

Filesize
402KB

MD5
fabe6ca2411c64b018dc5775c31b2304

SHA1
a75999e0b8e0c9739d090edc8868449dd79dce29

SHA256
2f37d88b18f1721f2686031f24a8f28206ddf9cde6597ff46ae51c2c1823ae70

SHA512
e904da6318fbdfd39bdc1ffaabc17147705e80941ba56bf3d648040484621a7f28e5365d3837c508700da3137a7a8a21a01e4a3a1fc6857789ccc134bcc6c2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr387873.exe

Filesize
402KB

MD5
fabe6ca2411c64b018dc5775c31b2304

SHA1
a75999e0b8e0c9739d090edc8868449dd79dce29

SHA256
2f37d88b18f1721f2686031f24a8f28206ddf9cde6597ff46ae51c2c1823ae70

SHA512
e904da6318fbdfd39bdc1ffaabc17147705e80941ba56bf3d648040484621a7f28e5365d3837c508700da3137a7a8a21a01e4a3a1fc6857789ccc134bcc6c2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu683136.exe

Filesize
485KB

MD5
b0c254b76b729209e2820bd064c02e43

SHA1
21929f03d4015f31c5c55156cdcfb9f384cd50f4

SHA256
7b8fb847a32a85d4ea275f03f367ca4c1948fe6f9987d1d1cf1f5dbbea1450b8

SHA512
d22fa2e0f2b86e1854dd5df29ca25bb37207d3a79d2059c6c2a511317154a3d685b4a8b4068899fcf12587ba315968f755086f14a4cc29cb3d00b8c0738ca02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu683136.exe

Filesize
485KB

MD5
b0c254b76b729209e2820bd064c02e43

SHA1
21929f03d4015f31c5c55156cdcfb9f384cd50f4

SHA256
7b8fb847a32a85d4ea275f03f367ca4c1948fe6f9987d1d1cf1f5dbbea1450b8

SHA512
d22fa2e0f2b86e1854dd5df29ca25bb37207d3a79d2059c6c2a511317154a3d685b4a8b4068899fcf12587ba315968f755086f14a4cc29cb3d00b8c0738ca02d

Download Submit
memory/1096-1004-0x0000000000660000-0x0000000000688000-memory.dmp

Filesize
160KB

Download
memory/1096-1006-0x0000000007430000-0x0000000007440000-memory.dmp

Filesize
64KB

Download
memory/1096-1005-0x00000000073E0000-0x000000000742B000-memory.dmp

Filesize
300KB

Download
memory/1436-153-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-169-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-147-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1436-151-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-150-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-149-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1436-159-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-157-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-167-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-177-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-175-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-173-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-171-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-148-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1436-165-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-163-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-161-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-155-0x0000000002590000-0x00000000025A2000-memory.dmp

Filesize
72KB

Download
memory/1436-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1436-179-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1436-180-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1436-181-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/1436-183-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1436-143-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/1436-146-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/1436-145-0x0000000002590000-0x00000000025A8000-memory.dmp

Filesize
96KB

Download
memory/1436-144-0x0000000004EA0000-0x000000000539E000-memory.dmp

Filesize
5.0MB

Download
memory/4880-1012-0x00000000008E0000-0x0000000000915000-memory.dmp

Filesize
212KB

Download
memory/4968-190-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-197-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-199-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-201-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-203-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-205-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-207-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-209-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-211-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-213-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-215-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-217-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-219-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-221-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-223-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-267-0x0000000000A10000-0x0000000000A56000-memory.dmp

Filesize
280KB

Download
memory/4968-271-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4968-268-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4968-272-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4968-986-0x00000000077D0000-0x0000000007DD6000-memory.dmp

Filesize
6.0MB

Download
memory/4968-987-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/4968-988-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4968-989-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/4968-990-0x0000000008130000-0x000000000817B000-memory.dmp

Filesize
300KB

Download
memory/4968-991-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4968-992-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/4968-993-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/4968-994-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/4968-995-0x0000000008BE0000-0x0000000008BFE000-memory.dmp

Filesize
120KB

Download
memory/4968-195-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-193-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-191-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

Filesize
212KB

Download
memory/4968-189-0x0000000004DB0000-0x0000000004DEA000-memory.dmp

Filesize
232KB

Download
memory/4968-188-0x00000000026D0000-0x000000000270C000-memory.dmp

Filesize
240KB

Download
memory/4968-996-0x0000000008CB0000-0x0000000008E72000-memory.dmp

Filesize
1.8MB

Download
memory/4968-997-0x0000000008E80000-0x00000000093AC000-memory.dmp

Filesize
5.2MB

Download
memory/4968-998-0x0000000002860000-0x00000000028B0000-memory.dmp

Filesize
320KB

Download