d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6

Analysis

max time kernel
145s
max time network
92s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe
Size

1.0MB
MD5

6a7fa8ac6c6f71cdaf2715f917f3abab
SHA1

2eabb155b7cf2ad244815d89a91a49feffa3ddc3
SHA256

d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6
SHA512

781310debcf82d801222753efbc51845bff101bd3cf27433c9a0fc7b6b758011c18b14168cad31b09e122cfec45b772780e8e01a16a3b8ce03d8a8fc459da39b
SSDEEP

24576:8yVG5AygOFd2JCAoSx8tjCqRUKhrL6VaVD2VMTcaAI:rVGOygid2JTx3HaVSVMT7

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr156144.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr156144.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr156144.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr156144.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr156144.exe

Executes dropped EXE 6 IoCs

pid	Process
3540	un882030.exe
4672	un122469.exe
1420	pr156144.exe
1956	qu234036.exe
4568	rk354711.exe
420	si153988.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr156144.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr156144.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un882030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un882030.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un122469.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un122469.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3840	420	WerFault.exe	72
3844	420	WerFault.exe	72
3092	420	WerFault.exe	72
1320	420	WerFault.exe	72
3748	420	WerFault.exe	72
1128	420	WerFault.exe	72
1568	420	WerFault.exe	72
1560	420	WerFault.exe	72
4500	420	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1420	pr156144.exe
1420	pr156144.exe
1956	qu234036.exe
1956	qu234036.exe
4568	rk354711.exe
4568	rk354711.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	pr156144.exe
Token: SeDebugPrivilege	1956	qu234036.exe
Token: SeDebugPrivilege	4568	rk354711.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
420	si153988.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3540	2112	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe	66
PID 2112 wrote to memory of 3540	2112	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe	66
PID 2112 wrote to memory of 3540	2112	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe	66
PID 3540 wrote to memory of 4672	3540	un882030.exe	67
PID 3540 wrote to memory of 4672	3540	un882030.exe	67
PID 3540 wrote to memory of 4672	3540	un882030.exe	67
PID 4672 wrote to memory of 1420	4672	un122469.exe	68
PID 4672 wrote to memory of 1420	4672	un122469.exe	68
PID 4672 wrote to memory of 1420	4672	un122469.exe	68
PID 4672 wrote to memory of 1956	4672	un122469.exe	69
PID 4672 wrote to memory of 1956	4672	un122469.exe	69
PID 4672 wrote to memory of 1956	4672	un122469.exe	69
PID 3540 wrote to memory of 4568	3540	un882030.exe	71
PID 3540 wrote to memory of 4568	3540	un882030.exe	71
PID 3540 wrote to memory of 4568	3540	un882030.exe	71
PID 2112 wrote to memory of 420	2112	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe	72
PID 2112 wrote to memory of 420	2112	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe	72
PID 2112 wrote to memory of 420	2112	d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe	72

C:\Users\Admin\AppData\Local\Temp\d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe
"C:\Users\Admin\AppData\Local\Temp\d4eb4b12202a90369e14027a10ec8e08b5e3f360508f677df89857f55876e2a6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882030.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882030.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un122469.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un122469.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr156144.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr156144.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu234036.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu234036.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk354711.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk354711.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153988.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153988.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 620
    3⤵
    - Program crash
    PID:3840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 700
    3⤵
    - Program crash
    PID:3844
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 836
    3⤵
    - Program crash
    PID:3092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 820
    3⤵
    - Program crash
    PID:1320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 880
    3⤵
    - Program crash
    PID:3748
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 884
    3⤵
    - Program crash
    PID:1128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 1120
    3⤵
    - Program crash
    PID:1568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 1160
    3⤵
    - Program crash
    PID:1560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 1176
    3⤵
    - Program crash
    PID:4500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153988.exe

Filesize
367KB

MD5
5c26d70a6aafc14cb22ef442a01b81f5

SHA1
59ac56e665aa945b9281c884ea3b3ae0ea97a562

SHA256
1cb14d86393d38a231198112391484412836ad9d31294141a81a0b4973b109db

SHA512
eb182ea07018b0a4594c0340c8db75f202305c4c5aec6cfb398d56e7f999fe1841a45c1c963a01e845d8530f4c22bf72542debde144aab1f07db062ba28888fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si153988.exe

Filesize
367KB

MD5
5c26d70a6aafc14cb22ef442a01b81f5

SHA1
59ac56e665aa945b9281c884ea3b3ae0ea97a562

SHA256
1cb14d86393d38a231198112391484412836ad9d31294141a81a0b4973b109db

SHA512
eb182ea07018b0a4594c0340c8db75f202305c4c5aec6cfb398d56e7f999fe1841a45c1c963a01e845d8530f4c22bf72542debde144aab1f07db062ba28888fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882030.exe

Filesize
749KB

MD5
d5cb45fd66f22ba545e3711dd90f38c1

SHA1
89d8909e29775b739a0610a22d41786386e40698

SHA256
9c242d0d65214201ceafaed879c1cf0da415d6afed63eaa8ca7e7eb2aba8ee93

SHA512
333ea2ead8d9db93cd8c0082086d7d6e18bfc7b18080c10c907e4966521c9ebe35ab58612ee373b186d0d18b1d606fa155d05fa392e5ade4cdf8e340b7c271a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un882030.exe

Filesize
749KB

MD5
d5cb45fd66f22ba545e3711dd90f38c1

SHA1
89d8909e29775b739a0610a22d41786386e40698

SHA256
9c242d0d65214201ceafaed879c1cf0da415d6afed63eaa8ca7e7eb2aba8ee93

SHA512
333ea2ead8d9db93cd8c0082086d7d6e18bfc7b18080c10c907e4966521c9ebe35ab58612ee373b186d0d18b1d606fa155d05fa392e5ade4cdf8e340b7c271a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk354711.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk354711.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un122469.exe

Filesize
595KB

MD5
39680d55ccff87ddd1283a129c4bbe52

SHA1
23070933694dae7c56dfdbb6359aeb94f60b41be

SHA256
36e20e89b13a9c09164c0bea3636f08f2e82892f35443f20486225bda6342a04

SHA512
94a579485054a780fe0ba4601f9c9806a746e79219d7e76bba74ca4582dad936764f2e92248a6e339fdee137de2ea58b99e62ff479f09e839a9f99d5ca3cf4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un122469.exe

Filesize
595KB

MD5
39680d55ccff87ddd1283a129c4bbe52

SHA1
23070933694dae7c56dfdbb6359aeb94f60b41be

SHA256
36e20e89b13a9c09164c0bea3636f08f2e82892f35443f20486225bda6342a04

SHA512
94a579485054a780fe0ba4601f9c9806a746e79219d7e76bba74ca4582dad936764f2e92248a6e339fdee137de2ea58b99e62ff479f09e839a9f99d5ca3cf4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr156144.exe

Filesize
389KB

MD5
61fd6c7f236c4d7641a4d1912198fbb8

SHA1
73f8edbd12f2b22a9e1e9ea1d7cfc37adc18f4dc

SHA256
3ac37f72f503d981ae543bd7526638045ec78bc9954ea680d38b37f5b1c4c6a2

SHA512
f4db64ae1e95e7e957a0cfdf3b3dff026b31af789d5953bc97e22ce6dbd43b2c605ccc1e822b9c049711b95b9190e3cab42dde64ff18f7493c93b5aadc751091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr156144.exe

Filesize
389KB

MD5
61fd6c7f236c4d7641a4d1912198fbb8

SHA1
73f8edbd12f2b22a9e1e9ea1d7cfc37adc18f4dc

SHA256
3ac37f72f503d981ae543bd7526638045ec78bc9954ea680d38b37f5b1c4c6a2

SHA512
f4db64ae1e95e7e957a0cfdf3b3dff026b31af789d5953bc97e22ce6dbd43b2c605ccc1e822b9c049711b95b9190e3cab42dde64ff18f7493c93b5aadc751091

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu234036.exe

Filesize
472KB

MD5
3774def6b7e03d566c352d6ab12cc24d

SHA1
6a3d1055efbf84a0761b4dd4399a2fe98d1539d8

SHA256
c05d07a02fecd6e9794b98d045bf17b13bbe459856c52e522e23424eddb512c1

SHA512
49b4257269b5fbeb2f923d216dcbc80593e0e610e98470c2fb74817d6d239caa72ead803924ba58c6cd160175a919ef2dcbbe925727dfe227f9bc6cc98dd5514

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu234036.exe

Filesize
472KB

MD5
3774def6b7e03d566c352d6ab12cc24d

SHA1
6a3d1055efbf84a0761b4dd4399a2fe98d1539d8

SHA256
c05d07a02fecd6e9794b98d045bf17b13bbe459856c52e522e23424eddb512c1

SHA512
49b4257269b5fbeb2f923d216dcbc80593e0e610e98470c2fb74817d6d239caa72ead803924ba58c6cd160175a919ef2dcbbe925727dfe227f9bc6cc98dd5514

Download Submit
memory/420-1008-0x00000000008D0000-0x0000000000905000-memory.dmp

Filesize
212KB

Download
memory/1420-149-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-161-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-142-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1420-144-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1420-145-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1420-146-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-147-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-141-0x0000000004D30000-0x0000000004D48000-memory.dmp

Filesize
96KB

Download
memory/1420-151-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-153-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-157-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-155-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-159-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-143-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1420-163-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-165-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-167-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-169-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-171-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-173-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1420-174-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/1420-175-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1420-176-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1420-177-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/1420-179-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/1420-140-0x0000000004DD0000-0x00000000052CE000-memory.dmp

Filesize
5.0MB

Download
memory/1420-139-0x00000000025B0000-0x00000000025CA000-memory.dmp

Filesize
104KB

Download
memory/1956-187-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-503-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/1956-189-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-191-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-193-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-195-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-197-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-199-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-201-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-205-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-207-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-203-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-209-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-211-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-213-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-215-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-217-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-219-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-501-0x0000000000920000-0x0000000000966000-memory.dmp

Filesize
280KB

Download
memory/1956-186-0x0000000002750000-0x0000000002785000-memory.dmp

Filesize
212KB

Download
memory/1956-507-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/1956-505-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/1956-982-0x00000000077D0000-0x0000000007DD6000-memory.dmp

Filesize
6.0MB

Download
memory/1956-983-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/1956-984-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/1956-985-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/1956-986-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/1956-987-0x0000000002700000-0x0000000002710000-memory.dmp

Filesize
64KB

Download
memory/1956-988-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/1956-989-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/1956-990-0x0000000008A40000-0x0000000008AB6000-memory.dmp

Filesize
472KB

Download
memory/1956-991-0x0000000008B10000-0x0000000008CD2000-memory.dmp

Filesize
1.8MB

Download
memory/1956-992-0x0000000008CE0000-0x000000000920C000-memory.dmp

Filesize
5.2MB

Download
memory/1956-993-0x0000000009320000-0x000000000933E000-memory.dmp

Filesize
120KB

Download
memory/1956-994-0x0000000002370000-0x00000000023C0000-memory.dmp

Filesize
320KB

Download
memory/1956-184-0x0000000002630000-0x000000000266C000-memory.dmp

Filesize
240KB

Download
memory/1956-185-0x0000000002750000-0x000000000278A000-memory.dmp

Filesize
232KB

Download
memory/4568-1001-0x00000000076F0000-0x000000000773B000-memory.dmp

Filesize
300KB

Download
memory/4568-1000-0x0000000000970000-0x0000000000998000-memory.dmp

Filesize
160KB

Download
memory/4568-1002-0x0000000007A50000-0x0000000007A60000-memory.dmp

Filesize
64KB

Download