a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae

Analysis

max time kernel
148s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe
Size

964KB
MD5

822d5f54ff88c842c1d6d330b95538c4
SHA1

9f23af3acedd64f911ffcf710c07eb86e7376e07
SHA256

a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae
SHA512

fa1eeb81b9eacc56c94e1a0ce7766258f54bc8930bec91d7f4f46a41d27f9c3323ed06ac1e7953fbd2d7e02392dc8b50ef3a6038109330aa350296dd646bb4a9
SSDEEP

24576:qyrTVUTsWZ/jfBcl/JotbOm8qHsmPH8R/g:xrTVUTdZ/jJIJmZjPH6

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr923628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr923628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr923628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr923628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr923628.exe

Executes dropped EXE 6 IoCs

pid	Process
4088	un790987.exe
4332	un027248.exe
4348	pr923628.exe
4848	qu815068.exe
4364	rk893413.exe
4056	si371116.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr923628.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr923628.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un790987.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un790987.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un027248.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un027248.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3804	4056	WerFault.exe	72
2156	4056	WerFault.exe	72
4388	4056	WerFault.exe	72
4200	4056	WerFault.exe	72
2528	4056	WerFault.exe	72
4788	4056	WerFault.exe	72
4840	4056	WerFault.exe	72
1100	4056	WerFault.exe	72
4176	4056	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4348	pr923628.exe
4348	pr923628.exe
4848	qu815068.exe
4848	qu815068.exe
4364	rk893413.exe
4364	rk893413.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	pr923628.exe
Token: SeDebugPrivilege	4848	qu815068.exe
Token: SeDebugPrivilege	4364	rk893413.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 4088	4208	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe	66
PID 4208 wrote to memory of 4088	4208	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe	66
PID 4208 wrote to memory of 4088	4208	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe	66
PID 4088 wrote to memory of 4332	4088	un790987.exe	67
PID 4088 wrote to memory of 4332	4088	un790987.exe	67
PID 4088 wrote to memory of 4332	4088	un790987.exe	67
PID 4332 wrote to memory of 4348	4332	un027248.exe	68
PID 4332 wrote to memory of 4348	4332	un027248.exe	68
PID 4332 wrote to memory of 4348	4332	un027248.exe	68
PID 4332 wrote to memory of 4848	4332	un027248.exe	69
PID 4332 wrote to memory of 4848	4332	un027248.exe	69
PID 4332 wrote to memory of 4848	4332	un027248.exe	69
PID 4088 wrote to memory of 4364	4088	un790987.exe	71
PID 4088 wrote to memory of 4364	4088	un790987.exe	71
PID 4088 wrote to memory of 4364	4088	un790987.exe	71
PID 4208 wrote to memory of 4056	4208	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe	72
PID 4208 wrote to memory of 4056	4208	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe	72
PID 4208 wrote to memory of 4056	4208	a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe	72

C:\Users\Admin\AppData\Local\Temp\a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe
"C:\Users\Admin\AppData\Local\Temp\a6c3672c91e3fc4f85c47dd9e3ac1eea2c3c2c5a1eac3769cf299709059437ae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un790987.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un790987.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027248.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027248.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923628.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923628.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu815068.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu815068.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk893413.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk893413.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si371116.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si371116.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 620
    3⤵
    - Program crash
    PID:3804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 700
    3⤵
    - Program crash
    PID:2156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 840
    3⤵
    - Program crash
    PID:4388
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 844
    3⤵
    - Program crash
    PID:4200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 876
    3⤵
    - Program crash
    PID:2528
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 888
    3⤵
    - Program crash
    PID:4788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1124
    3⤵
    - Program crash
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1172
    3⤵
    - Program crash
    PID:1100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 1096
    3⤵
    - Program crash
    PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si371116.exe

Filesize
256KB

MD5
1f4d6620dd17f89d453af8d286bc7eb0

SHA1
5bba287ffaed814fd6e05b61bd59748c6ea97211

SHA256
dace9bf4e1c93fb930ebf99d179f2e5456f24b50d62c2ef9e9207d46c64ec9bb

SHA512
5f5bdba80939154fbba26cf8dfa9794d735417f4618f290becca6de4d8bd324e5235a51c7eeaeabbee318b4cf0bdb2639e593667cbdecde5809858b05a38d7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si371116.exe

Filesize
256KB

MD5
1f4d6620dd17f89d453af8d286bc7eb0

SHA1
5bba287ffaed814fd6e05b61bd59748c6ea97211

SHA256
dace9bf4e1c93fb930ebf99d179f2e5456f24b50d62c2ef9e9207d46c64ec9bb

SHA512
5f5bdba80939154fbba26cf8dfa9794d735417f4618f290becca6de4d8bd324e5235a51c7eeaeabbee318b4cf0bdb2639e593667cbdecde5809858b05a38d7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un790987.exe

Filesize
705KB

MD5
6d0f3223057e8e4e726c9e8861d893d3

SHA1
8ad4f53962583f298b929d9d048b58a60f83312b

SHA256
3cabe49d075aa009c2e5131e744785489e2961acbc094b85a8967d74a99ff426

SHA512
c658789b03af73355c7ea59688232351144118196642e8d0decef29a26058db63bdb488c9c1f0ff0efb0edea98b1428c793cd4899c5cb9716c72a68b586a79d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un790987.exe

Filesize
705KB

MD5
6d0f3223057e8e4e726c9e8861d893d3

SHA1
8ad4f53962583f298b929d9d048b58a60f83312b

SHA256
3cabe49d075aa009c2e5131e744785489e2961acbc094b85a8967d74a99ff426

SHA512
c658789b03af73355c7ea59688232351144118196642e8d0decef29a26058db63bdb488c9c1f0ff0efb0edea98b1428c793cd4899c5cb9716c72a68b586a79d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk893413.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk893413.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027248.exe

Filesize
551KB

MD5
dd57f7e041abd2d66ab7ebd22750b074

SHA1
fcb247129add98f8b2c6b8cace74115b4f9f510f

SHA256
690a8d83daa799a8f16b4b0390a441259d59503acee236836af5c01df43bb071

SHA512
055ec1204683d6ff547b7d38412338c538650457e0a3276989ebe2a785057f18f3ae656c169bd956c4c5d04ba6fcddc71542fdeb295d4e955e6dc122cae05d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027248.exe

Filesize
551KB

MD5
dd57f7e041abd2d66ab7ebd22750b074

SHA1
fcb247129add98f8b2c6b8cace74115b4f9f510f

SHA256
690a8d83daa799a8f16b4b0390a441259d59503acee236836af5c01df43bb071

SHA512
055ec1204683d6ff547b7d38412338c538650457e0a3276989ebe2a785057f18f3ae656c169bd956c4c5d04ba6fcddc71542fdeb295d4e955e6dc122cae05d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923628.exe

Filesize
278KB

MD5
bb210f5b6a864555d970c01ba4340690

SHA1
ab75425b7c435f2be9a9994d792153802d88523c

SHA256
df8fd43d887a061de6fc525e0eb7804739b98bd0740c7b162047784542e26a7b

SHA512
dd326c63e287bacb4fe6200ec4f1da8c25703e0056dfddcf63a44db001b63e5daee8d48418ec02d406266c10f6ef7c823feed13d56881ff1117a9c1f13199616

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr923628.exe

Filesize
278KB

MD5
bb210f5b6a864555d970c01ba4340690

SHA1
ab75425b7c435f2be9a9994d792153802d88523c

SHA256
df8fd43d887a061de6fc525e0eb7804739b98bd0740c7b162047784542e26a7b

SHA512
dd326c63e287bacb4fe6200ec4f1da8c25703e0056dfddcf63a44db001b63e5daee8d48418ec02d406266c10f6ef7c823feed13d56881ff1117a9c1f13199616

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu815068.exe

Filesize
360KB

MD5
f780791c3d3ace6c170a4d86dd24cd6a

SHA1
4f1ab622dcf77851756ffdbe33b54554f3e7360f

SHA256
134351b437fb4b5a4036b7c39b3ab702b239a743010c1ae13e85d1bc7765c733

SHA512
9be422c9838d371ba05ff1078417686ae0ed409654b831ced56aaff0e7c04bffe615d5ebdb4d4e6f314e101e73333daedd91d7c63afb0d22a005b5fe64940142

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu815068.exe

Filesize
360KB

MD5
f780791c3d3ace6c170a4d86dd24cd6a

SHA1
4f1ab622dcf77851756ffdbe33b54554f3e7360f

SHA256
134351b437fb4b5a4036b7c39b3ab702b239a743010c1ae13e85d1bc7765c733

SHA512
9be422c9838d371ba05ff1078417686ae0ed409654b831ced56aaff0e7c04bffe615d5ebdb4d4e6f314e101e73333daedd91d7c63afb0d22a005b5fe64940142

Download Submit
memory/4056-1007-0x0000000002CB0000-0x0000000002CE5000-memory.dmp

Filesize
212KB

Download
memory/4348-150-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-166-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-139-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4348-144-0x0000000004850000-0x0000000004868000-memory.dmp

Filesize
96KB

Download
memory/4348-145-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-146-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-148-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-138-0x0000000004770000-0x000000000478A000-memory.dmp

Filesize
104KB

Download
memory/4348-152-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-154-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-156-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-158-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-160-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-162-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-164-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-140-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/4348-168-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-170-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-172-0x0000000004850000-0x0000000004862000-memory.dmp

Filesize
72KB

Download
memory/4348-173-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/4348-174-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/4348-175-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/4348-176-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/4348-178-0x0000000000400000-0x0000000002B9F000-memory.dmp

Filesize
39.6MB

Download
memory/4348-141-0x0000000007240000-0x000000000773E000-memory.dmp

Filesize
5.0MB

Download
memory/4348-143-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/4348-142-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/4364-999-0x0000000000F10000-0x0000000000F38000-memory.dmp

Filesize
160KB

Download
memory/4364-1000-0x0000000007C90000-0x0000000007CDB000-memory.dmp

Filesize
300KB

Download
memory/4364-1001-0x0000000007F40000-0x0000000007F50000-memory.dmp

Filesize
64KB

Download
memory/4848-185-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4848-189-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-191-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-193-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-195-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-197-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-199-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-201-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-203-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-207-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-205-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-209-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-211-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-213-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-215-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-217-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4848-218-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-220-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-222-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-981-0x000000000A250000-0x000000000A856000-memory.dmp

Filesize
6.0MB

Download
memory/4848-982-0x0000000007260000-0x0000000007272000-memory.dmp

Filesize
72KB

Download
memory/4848-983-0x0000000009C40000-0x0000000009D4A000-memory.dmp

Filesize
1.0MB

Download
memory/4848-984-0x0000000009D50000-0x0000000009D8E000-memory.dmp

Filesize
248KB

Download
memory/4848-985-0x0000000009DC0000-0x0000000009E0B000-memory.dmp

Filesize
300KB

Download
memory/4848-986-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4848-987-0x000000000A050000-0x000000000A0B6000-memory.dmp

Filesize
408KB

Download
memory/4848-988-0x000000000AD10000-0x000000000ADA2000-memory.dmp

Filesize
584KB

Download
memory/4848-989-0x000000000AEC0000-0x000000000AF36000-memory.dmp

Filesize
472KB

Download
memory/4848-990-0x000000000AF80000-0x000000000AF9E000-memory.dmp

Filesize
120KB

Download
memory/4848-188-0x0000000004B50000-0x0000000004B85000-memory.dmp

Filesize
212KB

Download
memory/4848-187-0x0000000004B50000-0x0000000004B8A000-memory.dmp

Filesize
232KB

Download
memory/4848-186-0x00000000072B0000-0x00000000072C0000-memory.dmp

Filesize
64KB

Download
memory/4848-183-0x0000000004980000-0x00000000049BC000-memory.dmp

Filesize
240KB

Download
memory/4848-184-0x0000000002BC0000-0x0000000002C06000-memory.dmp

Filesize
280KB

Download
memory/4848-991-0x000000000B040000-0x000000000B202000-memory.dmp

Filesize
1.8MB

Download
memory/4848-992-0x000000000B220000-0x000000000B74C000-memory.dmp

Filesize
5.2MB

Download
memory/4848-993-0x0000000006BD0000-0x0000000006C20000-memory.dmp

Filesize
320KB

Download