d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d

Analysis

max time kernel
150s
max time network
98s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 08:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe
Size

1.1MB
MD5

d6483522f3b3b211e5932fac533d2890
SHA1

5a12092fcb5483563eba671e4b50fd6c600bc9bc
SHA256

d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d
SHA512

8c1e7e1ad5b25d0f39f45935fb2f45d7bf438467881e13bdd3e47b85dc5b482a2051eccbe45d0ff37372de83c05e42e1d2ea1e86d1d8a567825b64c712cc5267
SSDEEP

24576:py7BnUMxN4MPYtOwgEeRVsHmXTd6pCQG5DK6otcsUTBh+mRUrmxT:c7VUcaMAOfyGX56pCjDG2+mRWmx

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr561335.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr561335.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr561335.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr561335.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr561335.exe

Executes dropped EXE 6 IoCs

pid	Process
1592	un246702.exe
1968	un027280.exe
964	pr561335.exe
4696	qu794400.exe
1608	rk811998.exe
4908	si499711.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr561335.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr561335.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un246702.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un246702.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un027280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un027280.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
1440	4908	WerFault.exe	72
2508	4908	WerFault.exe	72
4548	4908	WerFault.exe	72
4376	4908	WerFault.exe	72
2108	4908	WerFault.exe	72
1128	4908	WerFault.exe	72
1924	4908	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
964	pr561335.exe
964	pr561335.exe
4696	qu794400.exe
4696	qu794400.exe
1608	rk811998.exe
1608	rk811998.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	pr561335.exe
Token: SeDebugPrivilege	4696	qu794400.exe
Token: SeDebugPrivilege	1608	rk811998.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1592	1444	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe	66
PID 1444 wrote to memory of 1592	1444	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe	66
PID 1444 wrote to memory of 1592	1444	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe	66
PID 1592 wrote to memory of 1968	1592	un246702.exe	67
PID 1592 wrote to memory of 1968	1592	un246702.exe	67
PID 1592 wrote to memory of 1968	1592	un246702.exe	67
PID 1968 wrote to memory of 964	1968	un027280.exe	68
PID 1968 wrote to memory of 964	1968	un027280.exe	68
PID 1968 wrote to memory of 964	1968	un027280.exe	68
PID 1968 wrote to memory of 4696	1968	un027280.exe	69
PID 1968 wrote to memory of 4696	1968	un027280.exe	69
PID 1968 wrote to memory of 4696	1968	un027280.exe	69
PID 1592 wrote to memory of 1608	1592	un246702.exe	71
PID 1592 wrote to memory of 1608	1592	un246702.exe	71
PID 1592 wrote to memory of 1608	1592	un246702.exe	71
PID 1444 wrote to memory of 4908	1444	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe	72
PID 1444 wrote to memory of 4908	1444	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe	72
PID 1444 wrote to memory of 4908	1444	d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe	72

C:\Users\Admin\AppData\Local\Temp\d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe
"C:\Users\Admin\AppData\Local\Temp\d7b88586a738a24f38ab66e09afb778e6bc50be3bf48d0dc43a7ba469c5d012d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un246702.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un246702.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027280.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027280.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr561335.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr561335.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:964
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu794400.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu794400.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk811998.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk811998.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499711.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499711.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 624
    3⤵
    - Program crash
    PID:1440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 696
    3⤵
    - Program crash
    PID:2508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 836
    3⤵
    - Program crash
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 824
    3⤵
    - Program crash
    PID:4376
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 872
    3⤵
    - Program crash
    PID:2108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 816
    3⤵
    - Program crash
    PID:1128
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1068
    3⤵
    - Program crash
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499711.exe

Filesize
381KB

MD5
7314fae49aaa53628d402ad228329149

SHA1
3fcf8881345f4b26c3f55fb6ee138bbd04a29da1

SHA256
98214f101388a47528ee56a49df2dd5a8a8350a4305cc3e53e57cb1c904fe9f4

SHA512
c21c1db919a9a45accf7d54aaffce62b672ec54d44fa1570db024047e673732f5a4f9577b4136f7801a3ba20632c74761d443db03ccfc00080db1c2a18a0d608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si499711.exe

Filesize
381KB

MD5
7314fae49aaa53628d402ad228329149

SHA1
3fcf8881345f4b26c3f55fb6ee138bbd04a29da1

SHA256
98214f101388a47528ee56a49df2dd5a8a8350a4305cc3e53e57cb1c904fe9f4

SHA512
c21c1db919a9a45accf7d54aaffce62b672ec54d44fa1570db024047e673732f5a4f9577b4136f7801a3ba20632c74761d443db03ccfc00080db1c2a18a0d608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un246702.exe

Filesize
763KB

MD5
b907e5669d133e4e35dbf108028b5d29

SHA1
18f96e169416426a62fceee3aa8005384a197238

SHA256
5e57fcbc953ba8d5b1a075c95e349323bc8a8a1e12fd9c0417b79836bdccde30

SHA512
b861bda103062285776b1de69ee6a7d1fba49109b4ae20011e86e32fd76505fcfcc695a00fc7a5a49016743a95da6dc8a7ed0c83c848f316b05fd5ef4e8faf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un246702.exe

Filesize
763KB

MD5
b907e5669d133e4e35dbf108028b5d29

SHA1
18f96e169416426a62fceee3aa8005384a197238

SHA256
5e57fcbc953ba8d5b1a075c95e349323bc8a8a1e12fd9c0417b79836bdccde30

SHA512
b861bda103062285776b1de69ee6a7d1fba49109b4ae20011e86e32fd76505fcfcc695a00fc7a5a49016743a95da6dc8a7ed0c83c848f316b05fd5ef4e8faf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk811998.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk811998.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027280.exe

Filesize
609KB

MD5
0a9e843538b13989cc0f4bc059eef021

SHA1
6bc31edbd1792802a483291f4b08d7d39d648655

SHA256
466060166c2dd92e256ff9428b36feec6afac926042999f1f254d08897ccb820

SHA512
76b66d92dfd2cd8e52f998051ec72baf44576b3dc7006011829858ada7a142c1955698ac80bb6a1966a66a1ce6176d69719df01a48e0bfc00ad648a25cf98a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un027280.exe

Filesize
609KB

MD5
0a9e843538b13989cc0f4bc059eef021

SHA1
6bc31edbd1792802a483291f4b08d7d39d648655

SHA256
466060166c2dd92e256ff9428b36feec6afac926042999f1f254d08897ccb820

SHA512
76b66d92dfd2cd8e52f998051ec72baf44576b3dc7006011829858ada7a142c1955698ac80bb6a1966a66a1ce6176d69719df01a48e0bfc00ad648a25cf98a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr561335.exe

Filesize
403KB

MD5
03ca8551485f13bccf109e5d09fff35b

SHA1
d27bd8614ddf065201b8fc84c4832ec48a3ef09f

SHA256
2319553302bf3ea170ba1a793185ee15ac3f747c1fb8bec94740edfd0d21bb0a

SHA512
ecf35aa2ae3474878e68d0bb2455b41d8ef4283fd81772796f830ffc5295fc22a240b16c40f4fd05db01ba657b82cb506109d6593173c561058d49d02c9b1548

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr561335.exe

Filesize
403KB

MD5
03ca8551485f13bccf109e5d09fff35b

SHA1
d27bd8614ddf065201b8fc84c4832ec48a3ef09f

SHA256
2319553302bf3ea170ba1a793185ee15ac3f747c1fb8bec94740edfd0d21bb0a

SHA512
ecf35aa2ae3474878e68d0bb2455b41d8ef4283fd81772796f830ffc5295fc22a240b16c40f4fd05db01ba657b82cb506109d6593173c561058d49d02c9b1548

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu794400.exe

Filesize
485KB

MD5
cd3f50fcd5b0e6fa9bf88ab7c252ca81

SHA1
8d5773b70de11abf9d8ee5edf4be227c91cc89e0

SHA256
7183c93017a54bfcb3912b69b721f3f3ee20da171b7e1f9f30bf1f396d199350

SHA512
717afa24a831541be9bf4f721b974d02004476b22edd2bc5cd26c339905a70ffa65950372d819f535fcff435c64233600ca710adb5f983563900a4c2202b0f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu794400.exe

Filesize
485KB

MD5
cd3f50fcd5b0e6fa9bf88ab7c252ca81

SHA1
8d5773b70de11abf9d8ee5edf4be227c91cc89e0

SHA256
7183c93017a54bfcb3912b69b721f3f3ee20da171b7e1f9f30bf1f396d199350

SHA512
717afa24a831541be9bf4f721b974d02004476b22edd2bc5cd26c339905a70ffa65950372d819f535fcff435c64233600ca710adb5f983563900a4c2202b0f54

Download Submit
memory/964-154-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-174-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-147-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-148-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-150-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-152-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/964-156-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-158-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-160-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-162-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-164-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-166-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-146-0x0000000004D30000-0x0000000004D48000-memory.dmp

Filesize
96KB

Download
memory/964-172-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-170-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-168-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/964-175-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/964-176-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/964-177-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/964-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/964-180-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/964-144-0x0000000002720000-0x000000000273A000-memory.dmp

Filesize
104KB

Download
memory/964-145-0x0000000004DE0000-0x00000000052DE000-memory.dmp

Filesize
5.0MB

Download
memory/1608-1001-0x0000000000790000-0x00000000007B8000-memory.dmp

Filesize
160KB

Download
memory/1608-1003-0x00000000074F0000-0x0000000007500000-memory.dmp

Filesize
64KB

Download
memory/1608-1002-0x0000000007540000-0x000000000758B000-memory.dmp

Filesize
300KB

Download
memory/4696-187-0x0000000000A60000-0x0000000000AA6000-memory.dmp

Filesize
280KB

Download
memory/4696-192-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4696-191-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-189-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-194-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-196-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-198-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-200-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-202-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-204-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-206-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-208-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-210-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-212-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-214-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-216-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-218-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-220-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-222-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-224-0x0000000002740000-0x0000000002775000-memory.dmp

Filesize
212KB

Download
memory/4696-983-0x0000000007920000-0x0000000007F26000-memory.dmp

Filesize
6.0MB

Download
memory/4696-984-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

Filesize
72KB

Download
memory/4696-985-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/4696-986-0x0000000005000000-0x000000000503E000-memory.dmp

Filesize
248KB

Download
memory/4696-987-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4696-988-0x0000000008040000-0x000000000808B000-memory.dmp

Filesize
300KB

Download
memory/4696-989-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/4696-990-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/4696-991-0x0000000008B70000-0x0000000008BC0000-memory.dmp

Filesize
320KB

Download
memory/4696-992-0x0000000008BD0000-0x0000000008C46000-memory.dmp

Filesize
472KB

Download
memory/4696-190-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4696-188-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4696-186-0x0000000002740000-0x000000000277A000-memory.dmp

Filesize
232KB

Download
memory/4696-185-0x0000000002580000-0x00000000025BC000-memory.dmp

Filesize
240KB

Download
memory/4696-993-0x0000000008CA0000-0x0000000008E62000-memory.dmp

Filesize
1.8MB

Download
memory/4696-994-0x0000000008E80000-0x00000000093AC000-memory.dmp

Filesize
5.2MB

Download
memory/4696-995-0x00000000094C0000-0x00000000094DE000-memory.dmp

Filesize
120KB

Download
memory/4908-1009-0x0000000000900000-0x0000000000935000-memory.dmp

Filesize
212KB

Download