809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988

Analysis

max time kernel
147s
max time network
94s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe
Size

1.1MB
MD5

04a5152da06190db2d11b3fdb8be7f63
SHA1

dba67fed7755524ef1ded36807fdfb9bac240918
SHA256

809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988
SHA512

4b8158fdd3a960a8ca7df590ac85b1fbf62ddf1a87eecc5a550d76f98719af99bd792a518469584b3981eb592a1c65c2a91b15494584273f66666b23fd78beaf
SSDEEP

24576:SyXAO9CAkdQ1LXRdEXyHyP3UpIna5KNWdcUburqtdI71H0:5XL01y1LCyHyPEpInVNeTuWty

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr244692.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr244692.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr244692.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr244692.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr244692.exe

Executes dropped EXE 6 IoCs

pid	Process
2520	un939305.exe
3172	un728183.exe
5032	pr244692.exe
3680	qu307704.exe
4968	rk758161.exe
3896	si086857.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr244692.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr244692.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un939305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un939305.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un728183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un728183.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4108	3896	WerFault.exe	72
3060	3896	WerFault.exe	72
3560	3896	WerFault.exe	72
3512	3896	WerFault.exe	72
3632	3896	WerFault.exe	72
3684	3896	WerFault.exe	72
1588	3896	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5032	pr244692.exe
5032	pr244692.exe
3680	qu307704.exe
3680	qu307704.exe
4968	rk758161.exe
4968	rk758161.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5032	pr244692.exe
Token: SeDebugPrivilege	3680	qu307704.exe
Token: SeDebugPrivilege	4968	rk758161.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2520	2456	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe	66
PID 2456 wrote to memory of 2520	2456	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe	66
PID 2456 wrote to memory of 2520	2456	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe	66
PID 2520 wrote to memory of 3172	2520	un939305.exe	67
PID 2520 wrote to memory of 3172	2520	un939305.exe	67
PID 2520 wrote to memory of 3172	2520	un939305.exe	67
PID 3172 wrote to memory of 5032	3172	un728183.exe	68
PID 3172 wrote to memory of 5032	3172	un728183.exe	68
PID 3172 wrote to memory of 5032	3172	un728183.exe	68
PID 3172 wrote to memory of 3680	3172	un728183.exe	69
PID 3172 wrote to memory of 3680	3172	un728183.exe	69
PID 3172 wrote to memory of 3680	3172	un728183.exe	69
PID 2520 wrote to memory of 4968	2520	un939305.exe	71
PID 2520 wrote to memory of 4968	2520	un939305.exe	71
PID 2520 wrote to memory of 4968	2520	un939305.exe	71
PID 2456 wrote to memory of 3896	2456	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe	72
PID 2456 wrote to memory of 3896	2456	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe	72
PID 2456 wrote to memory of 3896	2456	809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe	72

C:\Users\Admin\AppData\Local\Temp\809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe
"C:\Users\Admin\AppData\Local\Temp\809d5f3432c33cb3743c45178e8136ba43fe7058232694aab19e7d2674f6e988.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939305.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939305.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un728183.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un728183.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr244692.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr244692.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu307704.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu307704.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk758161.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk758161.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4968
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086857.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086857.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 616
    3⤵
    - Program crash
    PID:4108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 696
    3⤵
    - Program crash
    PID:3060
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 836
    3⤵
    - Program crash
    PID:3560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 884
    3⤵
    - Program crash
    PID:3512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 812
    3⤵
    - Program crash
    PID:3632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 940
    3⤵
    - Program crash
    PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 1072
    3⤵
    - Program crash
    PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086857.exe

Filesize
381KB

MD5
2f5ea739871c2a0d2dec763cc874a74d

SHA1
e649673cb34ec593e452b148af2f89e449b9a872

SHA256
9f775ccbfa8d7e039d1141718173cf7078637cdff8ab06f62bf62320dd21ef2f

SHA512
03dd89a556f4e1612179120b95c2f460ed4638cf7f8952c3407e74c576e071ee33ef3d95bae5ef6c45466517453d5759e604b17918edb164ac132dd54b2ce4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si086857.exe

Filesize
381KB

MD5
2f5ea739871c2a0d2dec763cc874a74d

SHA1
e649673cb34ec593e452b148af2f89e449b9a872

SHA256
9f775ccbfa8d7e039d1141718173cf7078637cdff8ab06f62bf62320dd21ef2f

SHA512
03dd89a556f4e1612179120b95c2f460ed4638cf7f8952c3407e74c576e071ee33ef3d95bae5ef6c45466517453d5759e604b17918edb164ac132dd54b2ce4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939305.exe

Filesize
763KB

MD5
2c448bc631448d419d9d43ee727f1728

SHA1
10513da2031a7b4c298b1cbdb2272ab266afd28b

SHA256
ba1d7bb0a4a09c08e39aa271aff8fc946bf3f9a5741a83d9f0eeb42c30ad03b6

SHA512
60c16255f611f1c0a6f518eee11793cf5729a0b4d367f40726752f0bd9e717bdbad60e3b294fa2345f67025a1c7763ef46f52ce607cfc1ee25a07008a873c2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un939305.exe

Filesize
763KB

MD5
2c448bc631448d419d9d43ee727f1728

SHA1
10513da2031a7b4c298b1cbdb2272ab266afd28b

SHA256
ba1d7bb0a4a09c08e39aa271aff8fc946bf3f9a5741a83d9f0eeb42c30ad03b6

SHA512
60c16255f611f1c0a6f518eee11793cf5729a0b4d367f40726752f0bd9e717bdbad60e3b294fa2345f67025a1c7763ef46f52ce607cfc1ee25a07008a873c2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk758161.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk758161.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un728183.exe

Filesize
609KB

MD5
552613c09d57f00854619a40c07dcea3

SHA1
9aa9a7e217e6dfc22557981a9353aea0f2bfb905

SHA256
d739e258acd8fa7c5d9ec4f1f7e790a45b728dca9eda2bce7bbf0c94eccefa20

SHA512
7bfc3d46fe36bd193b7f4cfae7822a44770b03ac99acabbf57aba163bce0aba0a96ab349257f2966d92343cffd2bfe2e2c5bc10fe2f386688b7281125b808c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un728183.exe

Filesize
609KB

MD5
552613c09d57f00854619a40c07dcea3

SHA1
9aa9a7e217e6dfc22557981a9353aea0f2bfb905

SHA256
d739e258acd8fa7c5d9ec4f1f7e790a45b728dca9eda2bce7bbf0c94eccefa20

SHA512
7bfc3d46fe36bd193b7f4cfae7822a44770b03ac99acabbf57aba163bce0aba0a96ab349257f2966d92343cffd2bfe2e2c5bc10fe2f386688b7281125b808c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr244692.exe

Filesize
403KB

MD5
ef377cdd6228479a0e01de8e56c5c3f8

SHA1
dc14f4472952276d0ade162f3695498c28ceae0b

SHA256
e1b8de45fa6eb2c64d7cdc460c3f61fb2940dedcc217ba70345905cdf1c7fdd6

SHA512
057d7facff640a4d457bc0b1b5f6dd5bc8af7d94028d65e0759393cd30f85c9cc36d473a76ca044c14a73c7a74b0e0980998af316170523057d8ad882647bf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr244692.exe

Filesize
403KB

MD5
ef377cdd6228479a0e01de8e56c5c3f8

SHA1
dc14f4472952276d0ade162f3695498c28ceae0b

SHA256
e1b8de45fa6eb2c64d7cdc460c3f61fb2940dedcc217ba70345905cdf1c7fdd6

SHA512
057d7facff640a4d457bc0b1b5f6dd5bc8af7d94028d65e0759393cd30f85c9cc36d473a76ca044c14a73c7a74b0e0980998af316170523057d8ad882647bf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu307704.exe

Filesize
485KB

MD5
2f5747ac8011382f4ccee983ea104835

SHA1
87d5cc366187cb12f628c1a3a0810458f8d9eaed

SHA256
d119b5068a8685a267b40e261dddac04b5e35e58705ef13703f3b930b2c45c33

SHA512
5d859d4e491d7f8b97f6b04872c43811f9cb6d3c8859126cc701d1347f74c17980339e7cdbfe7656e022c608a3c28c3386c5977e1dbe0c15ec3364fa68c53e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu307704.exe

Filesize
485KB

MD5
2f5747ac8011382f4ccee983ea104835

SHA1
87d5cc366187cb12f628c1a3a0810458f8d9eaed

SHA256
d119b5068a8685a267b40e261dddac04b5e35e58705ef13703f3b930b2c45c33

SHA512
5d859d4e491d7f8b97f6b04872c43811f9cb6d3c8859126cc701d1347f74c17980339e7cdbfe7656e022c608a3c28c3386c5977e1dbe0c15ec3364fa68c53e5a

Download Submit
memory/3680-984-0x0000000007EF0000-0x00000000084F6000-memory.dmp

Filesize
6.0MB

Download
memory/3680-988-0x0000000005000000-0x000000000503E000-memory.dmp

Filesize
248KB

Download
memory/3680-996-0x0000000008ED0000-0x00000000093FC000-memory.dmp

Filesize
5.2MB

Download
memory/3680-995-0x0000000008D00000-0x0000000008EC2000-memory.dmp

Filesize
1.8MB

Download
memory/3680-994-0x0000000008C30000-0x0000000008C4E000-memory.dmp

Filesize
120KB

Download
memory/3680-993-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/3680-992-0x0000000008B20000-0x0000000008B70000-memory.dmp

Filesize
320KB

Download
memory/3680-991-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/3680-990-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/3680-989-0x0000000007A20000-0x0000000007A6B000-memory.dmp

Filesize
300KB

Download
memory/3680-987-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3680-986-0x00000000078E0000-0x00000000079EA000-memory.dmp

Filesize
1.0MB

Download
memory/3680-985-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/3680-236-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3680-234-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3680-232-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/3680-230-0x0000000000940000-0x0000000000986000-memory.dmp

Filesize
280KB

Download
memory/3680-217-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-219-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-221-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-215-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-186-0x00000000024F0000-0x000000000252C000-memory.dmp

Filesize
240KB

Download
memory/3680-187-0x00000000026C0000-0x00000000026FA000-memory.dmp

Filesize
232KB

Download
memory/3680-188-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-189-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-191-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-193-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-195-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-197-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-199-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-203-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-201-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-205-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-207-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-209-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-211-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3680-213-0x00000000026C0000-0x00000000026F5000-memory.dmp

Filesize
212KB

Download
memory/3896-1010-0x0000000000810000-0x0000000000845000-memory.dmp

Filesize
212KB

Download
memory/4968-1002-0x0000000000760000-0x0000000000788000-memory.dmp

Filesize
160KB

Download
memory/4968-1004-0x0000000007850000-0x0000000007860000-memory.dmp

Filesize
64KB

Download
memory/4968-1003-0x00000000074E0000-0x000000000752B000-memory.dmp

Filesize
300KB

Download
memory/5032-163-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-157-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-175-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-173-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-147-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/5032-171-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-169-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-167-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-150-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-165-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-148-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/5032-161-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-159-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-177-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-155-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-153-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-151-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/5032-146-0x00000000009E0000-0x0000000000A0D000-memory.dmp

Filesize
180KB

Download
memory/5032-145-0x0000000004D30000-0x0000000004D48000-memory.dmp

Filesize
96KB

Download
memory/5032-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/5032-179-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/5032-181-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/5032-144-0x0000000004DD0000-0x00000000052CE000-memory.dmp

Filesize
5.0MB

Download
memory/5032-143-0x0000000000B40000-0x0000000000B5A000-memory.dmp

Filesize
104KB

Download
memory/5032-149-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download