c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942

Analysis

max time kernel
149s
max time network
94s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19/04/2023, 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe
Size

964KB
MD5

6644e60ec6e8b0e11f88645caaab8368
SHA1

973fab79d5ac47ad301b4323d2e8b30b461a0f95
SHA256

c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942
SHA512

596f9d824b8c66e964cc1dd6c30b1a165ce66b2cb3fb0c110270401c9e0e474b9301081aec3e17a0a7bca98c88f02194beed6f5bc063a4d0c3a03307c9869e87
SSDEEP

24576:AywHHly8p7VdPCDgP4ZVWIwkYNzm9kKwCcYFrIgqqyIP8b+Cgi:HwHHlyu7VZ+1Yy9kKwLYFrIZqyy8N

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr592636.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr592636.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr592636.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr592636.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr592636.exe

Executes dropped EXE 6 IoCs

pid	Process
2512	un652852.exe
4960	un839283.exe
2064	pr592636.exe
1964	qu677234.exe
2012	rk472799.exe
2868	si639883.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr592636.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr592636.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un652852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un652852.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un839283.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un839283.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4872	2868	WerFault.exe	72
4884	2868	WerFault.exe	72
3860	2868	WerFault.exe	72
1244	2868	WerFault.exe	72
3084	2868	WerFault.exe	72
4500	2868	WerFault.exe	72
4656	2868	WerFault.exe	72
4180	2868	WerFault.exe	72
3592	2868	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2064	pr592636.exe
2064	pr592636.exe
1964	qu677234.exe
1964	qu677234.exe
2012	rk472799.exe
2012	rk472799.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	pr592636.exe
Token: SeDebugPrivilege	1964	qu677234.exe
Token: SeDebugPrivilege	2012	rk472799.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2868	si639883.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 2512	4140	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe	66
PID 4140 wrote to memory of 2512	4140	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe	66
PID 4140 wrote to memory of 2512	4140	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe	66
PID 2512 wrote to memory of 4960	2512	un652852.exe	67
PID 2512 wrote to memory of 4960	2512	un652852.exe	67
PID 2512 wrote to memory of 4960	2512	un652852.exe	67
PID 4960 wrote to memory of 2064	4960	un839283.exe	68
PID 4960 wrote to memory of 2064	4960	un839283.exe	68
PID 4960 wrote to memory of 2064	4960	un839283.exe	68
PID 4960 wrote to memory of 1964	4960	un839283.exe	69
PID 4960 wrote to memory of 1964	4960	un839283.exe	69
PID 4960 wrote to memory of 1964	4960	un839283.exe	69
PID 2512 wrote to memory of 2012	2512	un652852.exe	71
PID 2512 wrote to memory of 2012	2512	un652852.exe	71
PID 2512 wrote to memory of 2012	2512	un652852.exe	71
PID 4140 wrote to memory of 2868	4140	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe	72
PID 4140 wrote to memory of 2868	4140	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe	72
PID 4140 wrote to memory of 2868	4140	c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe	72

C:\Users\Admin\AppData\Local\Temp\c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe
"C:\Users\Admin\AppData\Local\Temp\c244858ae2ac3264a5c3aa8338240e348a651c3ac2a6c7d7c5feadf7bb4a8942.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652852.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652852.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un839283.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un839283.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr592636.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr592636.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu677234.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu677234.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk472799.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk472799.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si639883.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si639883.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2868
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 644
    3⤵
    - Program crash
    PID:4872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 720
    3⤵
    - Program crash
    PID:4884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 848
    3⤵
    - Program crash
    PID:3860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 856
    3⤵
    - Program crash
    PID:1244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 884
    3⤵
    - Program crash
    PID:3084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 900
    3⤵
    - Program crash
    PID:4500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1124
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1156
    3⤵
    - Program crash
    PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 1104
    3⤵
    - Program crash
    PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si639883.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si639883.exe

Filesize
255KB

MD5
52c8d88080f3b880e0069039afe3789c

SHA1
5ed21c4848963a502e42d79d83112cc21e011ad0

SHA256
d4d4b2046cb3530b50a2df1b32e1007fbd48765edb16172ff0d66e25760d6b7f

SHA512
2483edd417dddea08dce66ad25af0f96928fd7cf071eb49b2ab989f40b880bb8039aab7aa97547c6ae67567b21bee71e20f14c09597f6c7869196db2014f5ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652852.exe

Filesize
705KB

MD5
2e76767e9b02f4fe26b4d174caf7d84f

SHA1
55210f8638b13fb4e1befe6c87b32f261b425a65

SHA256
d4dab053c98e8ee934a426d62a5bbf51b91941c8c06fbbd68081fe8b0d7e1985

SHA512
5544040ef1542b4f41897f63d61113b992ea431e694a81d5914bf4ed0a278df6ca82adf20e0dfc0f754b38f72cc5e70f9c64be122df3acc533b84d180e115349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652852.exe

Filesize
705KB

MD5
2e76767e9b02f4fe26b4d174caf7d84f

SHA1
55210f8638b13fb4e1befe6c87b32f261b425a65

SHA256
d4dab053c98e8ee934a426d62a5bbf51b91941c8c06fbbd68081fe8b0d7e1985

SHA512
5544040ef1542b4f41897f63d61113b992ea431e694a81d5914bf4ed0a278df6ca82adf20e0dfc0f754b38f72cc5e70f9c64be122df3acc533b84d180e115349

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk472799.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk472799.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un839283.exe

Filesize
551KB

MD5
5f4b472de210e1d7884720a1151921c7

SHA1
8a395627095b2e84e05cf7d22178a3f3b301001f

SHA256
459328966b6e472b54d2439c7d1dccd249cbaf21148b99a164adf34c3fb4eaab

SHA512
3bdf7c87dc88ec29c77006a5aef540a6040c6c02b6e169e717a044818839aa84acc8f767dd24aa884f88dc43230bdd1b0f521a61c75e98e77dfd2e092c22dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un839283.exe

Filesize
551KB

MD5
5f4b472de210e1d7884720a1151921c7

SHA1
8a395627095b2e84e05cf7d22178a3f3b301001f

SHA256
459328966b6e472b54d2439c7d1dccd249cbaf21148b99a164adf34c3fb4eaab

SHA512
3bdf7c87dc88ec29c77006a5aef540a6040c6c02b6e169e717a044818839aa84acc8f767dd24aa884f88dc43230bdd1b0f521a61c75e98e77dfd2e092c22dc4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr592636.exe

Filesize
277KB

MD5
f017a44cb80f089c0386e2f20aed21c6

SHA1
34e45e83ddbc8eef9628b68ee868562652a54db8

SHA256
d4dee5acdbc7021504e0b6c15a4b1e300e195c4d371bc22d8cef71a35a8527ee

SHA512
cbbc4060013b71bbbbbb3764369d44ec031aa59bcede647cc05c50fd7d48ab23d81efb74d6920892dbfbd9f6a24b88f992383f29d4edc03ba08b7128a9e7808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr592636.exe

Filesize
277KB

MD5
f017a44cb80f089c0386e2f20aed21c6

SHA1
34e45e83ddbc8eef9628b68ee868562652a54db8

SHA256
d4dee5acdbc7021504e0b6c15a4b1e300e195c4d371bc22d8cef71a35a8527ee

SHA512
cbbc4060013b71bbbbbb3764369d44ec031aa59bcede647cc05c50fd7d48ab23d81efb74d6920892dbfbd9f6a24b88f992383f29d4edc03ba08b7128a9e7808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu677234.exe

Filesize
360KB

MD5
e295fa8c8a39d7679577d144e0957bab

SHA1
e94e9bc503ed58ee500861ac82edcf095cf7eddc

SHA256
e337664ea5fe017387db20ccb3bef0d3855a749aa86334f1a2475df144c311eb

SHA512
ba1d3aa99478aaa28becaee48432588400d59719cce96fbeb2222e09dae7524dd28fc9a208bd438f3c94098def35f887bef0762e00d6c9016f764b126e3ed121

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu677234.exe

Filesize
360KB

MD5
e295fa8c8a39d7679577d144e0957bab

SHA1
e94e9bc503ed58ee500861ac82edcf095cf7eddc

SHA256
e337664ea5fe017387db20ccb3bef0d3855a749aa86334f1a2475df144c311eb

SHA512
ba1d3aa99478aaa28becaee48432588400d59719cce96fbeb2222e09dae7524dd28fc9a208bd438f3c94098def35f887bef0762e00d6c9016f764b126e3ed121

Download Submit
memory/1964-231-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/1964-983-0x000000000A390000-0x000000000A3CE000-memory.dmp

Filesize
248KB

Download
memory/1964-993-0x0000000006C60000-0x0000000006CB0000-memory.dmp

Filesize
320KB

Download
memory/1964-991-0x000000000B6E0000-0x000000000B6FE000-memory.dmp

Filesize
120KB

Download
memory/1964-990-0x000000000B080000-0x000000000B5AC000-memory.dmp

Filesize
5.2MB

Download
memory/1964-989-0x000000000AEA0000-0x000000000B062000-memory.dmp

Filesize
1.8MB

Download
memory/1964-988-0x000000000ADE0000-0x000000000AE56000-memory.dmp

Filesize
472KB

Download
memory/1964-987-0x000000000AD10000-0x000000000ADA2000-memory.dmp

Filesize
584KB

Download
memory/1964-986-0x000000000A660000-0x000000000A6C6000-memory.dmp

Filesize
408KB

Download
memory/1964-985-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/1964-984-0x000000000A4D0000-0x000000000A51B000-memory.dmp

Filesize
300KB

Download
memory/1964-982-0x000000000A230000-0x000000000A33A000-memory.dmp

Filesize
1.0MB

Download
memory/1964-981-0x000000000A200000-0x000000000A212000-memory.dmp

Filesize
72KB

Download
memory/1964-980-0x0000000009BF0000-0x000000000A1F6000-memory.dmp

Filesize
6.0MB

Download
memory/1964-228-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/1964-227-0x0000000007260000-0x0000000007270000-memory.dmp

Filesize
64KB

Download
memory/1964-218-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-216-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-214-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-212-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-210-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-208-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-182-0x0000000004820000-0x0000000004866000-memory.dmp

Filesize
280KB

Download
memory/1964-183-0x0000000004A90000-0x0000000004ACC000-memory.dmp

Filesize
240KB

Download
memory/1964-184-0x0000000007120000-0x000000000715A000-memory.dmp

Filesize
232KB

Download
memory/1964-185-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-188-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-186-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-190-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-192-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-194-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-196-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-198-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-200-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-202-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-204-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/1964-206-0x0000000007120000-0x0000000007155000-memory.dmp

Filesize
212KB

Download
memory/2012-999-0x0000000000FE0000-0x0000000001008000-memory.dmp

Filesize
160KB

Download
memory/2012-1001-0x0000000007D90000-0x0000000007DA0000-memory.dmp

Filesize
64KB

Download
memory/2012-1000-0x0000000007DA0000-0x0000000007DEB000-memory.dmp

Filesize
300KB

Download
memory/2064-160-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/2064-159-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-173-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/2064-172-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-170-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-142-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-168-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-166-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-164-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-148-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-162-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-144-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-158-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/2064-177-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/2064-156-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/2064-154-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-155-0x00000000047E0000-0x000000000480D000-memory.dmp

Filesize
180KB

Download
memory/2064-152-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-150-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-141-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-140-0x0000000004DB0000-0x0000000004DC8000-memory.dmp

Filesize
96KB

Download
memory/2064-176-0x00000000073C0000-0x00000000073D0000-memory.dmp

Filesize
64KB

Download
memory/2064-175-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/2064-146-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2064-139-0x00000000073D0000-0x00000000078CE000-memory.dmp

Filesize
5.0MB

Download
memory/2064-138-0x0000000004B20000-0x0000000004B3A000-memory.dmp

Filesize
104KB

Download
memory/2868-1007-0x0000000002CF0000-0x0000000002D25000-memory.dmp

Filesize
212KB

Download