452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e

Analysis

max time kernel
141s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe
Size

936KB
MD5

f3d75bf45bded3a5e00faa808957a58e
SHA1

cdef12e813e118fee572fb93d2ed6a13159c57c1
SHA256

452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e
SHA512

503b7eba4d402c4301405f194a1cef8d5581d49121d2c47ac6cad54eea2249e637d16c939f0f9d795d765a4b365205572a0a1f14776feab2dc8aac912b0281d9
SSDEEP

24576:ByB01DjXnpiPiAKjx5pyCvdJUdLE0rJB04359b1v:0B01DjXpiPinjImJ8LpJXJH

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it286180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it286180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it286180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it286180.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it286180.exe

Executes dropped EXE 6 IoCs

pid	Process
2324	ziEm3161.exe
2416	zibS2820.exe
2900	it286180.exe
4280	jr470835.exe
1200	kp918994.exe
3676	lr896728.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it286180.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zibS2820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zibS2820.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ziEm3161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziEm3161.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2456	3676	WerFault.exe	72
3764	3676	WerFault.exe	72
3976	3676	WerFault.exe	72
4300	3676	WerFault.exe	72
4304	3676	WerFault.exe	72
3828	3676	WerFault.exe	72
8	3676	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2900	it286180.exe
2900	it286180.exe
4280	jr470835.exe
4280	jr470835.exe
1200	kp918994.exe
1200	kp918994.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	it286180.exe
Token: SeDebugPrivilege	4280	jr470835.exe
Token: SeDebugPrivilege	1200	kp918994.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2324	2112	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe	66
PID 2112 wrote to memory of 2324	2112	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe	66
PID 2112 wrote to memory of 2324	2112	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe	66
PID 2324 wrote to memory of 2416	2324	ziEm3161.exe	67
PID 2324 wrote to memory of 2416	2324	ziEm3161.exe	67
PID 2324 wrote to memory of 2416	2324	ziEm3161.exe	67
PID 2416 wrote to memory of 2900	2416	zibS2820.exe	68
PID 2416 wrote to memory of 2900	2416	zibS2820.exe	68
PID 2416 wrote to memory of 4280	2416	zibS2820.exe	69
PID 2416 wrote to memory of 4280	2416	zibS2820.exe	69
PID 2416 wrote to memory of 4280	2416	zibS2820.exe	69
PID 2324 wrote to memory of 1200	2324	ziEm3161.exe	71
PID 2324 wrote to memory of 1200	2324	ziEm3161.exe	71
PID 2324 wrote to memory of 1200	2324	ziEm3161.exe	71
PID 2112 wrote to memory of 3676	2112	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe	72
PID 2112 wrote to memory of 3676	2112	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe	72
PID 2112 wrote to memory of 3676	2112	452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe	72

C:\Users\Admin\AppData\Local\Temp\452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe
"C:\Users\Admin\AppData\Local\Temp\452663af8d13f813c86debf8d724b0f03464c780bf2e1359648f4ef679ded68e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEm3161.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEm3161.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zibS2820.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zibS2820.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286180.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr470835.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr470835.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp918994.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp918994.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr896728.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr896728.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 616
    3⤵
    - Program crash
    PID:2456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 700
    3⤵
    - Program crash
    PID:3764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 768
    3⤵
    - Program crash
    PID:3976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 844
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 872
    3⤵
    - Program crash
    PID:4304
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 764
    3⤵
    - Program crash
    PID:3828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 1072
    3⤵
    - Program crash
    PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr896728.exe

Filesize
383KB

MD5
6aeff221628cf3f6d38f004fa14ca14f

SHA1
580a7af8f76ee8d606b9912228d38975115cd906

SHA256
4f0df015baff638464122a09a37b5fda41b78e5fe309ff7fc359352be7e6fee9

SHA512
b3ac3f0f3e678dd35d46dba7a14f9a8e3c5a9201226b241c1b0b3df4051cc866de9095402688ec4d6180644ba6ed7d5d8a32a7e04bbcd71058afd968153ee806

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr896728.exe

Filesize
383KB

MD5
6aeff221628cf3f6d38f004fa14ca14f

SHA1
580a7af8f76ee8d606b9912228d38975115cd906

SHA256
4f0df015baff638464122a09a37b5fda41b78e5fe309ff7fc359352be7e6fee9

SHA512
b3ac3f0f3e678dd35d46dba7a14f9a8e3c5a9201226b241c1b0b3df4051cc866de9095402688ec4d6180644ba6ed7d5d8a32a7e04bbcd71058afd968153ee806

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEm3161.exe

Filesize
623KB

MD5
88967a89ade374d16995cfeb15c74878

SHA1
d1e4e1b5acf4fff939f5516cc5ac8d82518b36b1

SHA256
f7eaad28f341c6f30e395c8b4f98f6b14c00379651e3987f287b64e0932f6067

SHA512
81f5622a065f2b931314c3e63700616cc2c1d2f26200c1fa0a117f18703891318ab037e6437bb23ee5fecccd0220c5b3750290c3e445c757b3baec0d2b78e1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEm3161.exe

Filesize
623KB

MD5
88967a89ade374d16995cfeb15c74878

SHA1
d1e4e1b5acf4fff939f5516cc5ac8d82518b36b1

SHA256
f7eaad28f341c6f30e395c8b4f98f6b14c00379651e3987f287b64e0932f6067

SHA512
81f5622a065f2b931314c3e63700616cc2c1d2f26200c1fa0a117f18703891318ab037e6437bb23ee5fecccd0220c5b3750290c3e445c757b3baec0d2b78e1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp918994.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp918994.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zibS2820.exe

Filesize
469KB

MD5
3b0691e45daf92b00ec85b0b96459bf9

SHA1
443e88c67ac817183d91ed365583ac68fe39ce27

SHA256
1e9614948d0d2ca1908881b331e5aaa57bf57b9ac5add7052ec7703db3ec383e

SHA512
b476e1ffc917f4f97af9c547e09be36858affbe36d6bc4696317edadb50d56908cf219e3b815b89cd5d998d1d66084e9af996b3a565d05ddfd24cf19838ee8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zibS2820.exe

Filesize
469KB

MD5
3b0691e45daf92b00ec85b0b96459bf9

SHA1
443e88c67ac817183d91ed365583ac68fe39ce27

SHA256
1e9614948d0d2ca1908881b331e5aaa57bf57b9ac5add7052ec7703db3ec383e

SHA512
b476e1ffc917f4f97af9c547e09be36858affbe36d6bc4696317edadb50d56908cf219e3b815b89cd5d998d1d66084e9af996b3a565d05ddfd24cf19838ee8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286180.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it286180.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr470835.exe

Filesize
488KB

MD5
f629be05e3489a3f44c41fc84b0ff20b

SHA1
1879d7e11df40b56b98bf29b88f40593ef4640fc

SHA256
8339359f953d27871c58006a6686600f9c1460e73ff4d510998f6664dd94c9b9

SHA512
f7e259bba3658b3208843b7c614178abd76fb94e1d7bce7179a51f42ea0aea79799edec4cf25a96af44d3b16813e730faddf507b1f514c999b17a3caed539f00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr470835.exe

Filesize
488KB

MD5
f629be05e3489a3f44c41fc84b0ff20b

SHA1
1879d7e11df40b56b98bf29b88f40593ef4640fc

SHA256
8339359f953d27871c58006a6686600f9c1460e73ff4d510998f6664dd94c9b9

SHA512
f7e259bba3658b3208843b7c614178abd76fb94e1d7bce7179a51f42ea0aea79799edec4cf25a96af44d3b16813e730faddf507b1f514c999b17a3caed539f00

Download Submit
memory/1200-965-0x0000000007D70000-0x0000000007DBB000-memory.dmp

Filesize
300KB

Download
memory/1200-964-0x0000000000FF0000-0x0000000001018000-memory.dmp

Filesize
160KB

Download
memory/1200-966-0x0000000007CC0000-0x0000000007CD0000-memory.dmp

Filesize
64KB

Download
memory/2900-139-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/3676-972-0x0000000000810000-0x0000000000845000-memory.dmp

Filesize
212KB

Download
memory/4280-179-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-199-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-151-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-153-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-154-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/4280-157-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-156-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/4280-159-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-161-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-163-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-165-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-167-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-169-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-171-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-173-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-175-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-177-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-149-0x00000000052C0000-0x00000000052FA000-memory.dmp

Filesize
232KB

Download
memory/4280-181-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-183-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-185-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-187-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-189-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-191-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-193-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-195-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-197-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-150-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-201-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-203-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-205-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-207-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-209-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-211-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-213-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-215-0x00000000052C0000-0x00000000052F5000-memory.dmp

Filesize
212KB

Download
memory/4280-944-0x00000000077C0000-0x0000000007DC6000-memory.dmp

Filesize
6.0MB

Download
memory/4280-945-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/4280-946-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4280-947-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/4280-948-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/4280-949-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/4280-950-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/4280-951-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/4280-952-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/4280-954-0x0000000008BE0000-0x0000000008BFE000-memory.dmp

Filesize
120KB

Download
memory/4280-148-0x0000000004D80000-0x000000000527E000-memory.dmp

Filesize
5.0MB

Download
memory/4280-147-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/4280-145-0x0000000004D40000-0x0000000004D7C000-memory.dmp

Filesize
240KB

Download
memory/4280-146-0x00000000009A0000-0x00000000009E6000-memory.dmp

Filesize
280KB

Download
memory/4280-955-0x0000000008CB0000-0x0000000008E72000-memory.dmp

Filesize
1.8MB

Download
memory/4280-956-0x0000000008E80000-0x00000000093AC000-memory.dmp

Filesize
5.2MB

Download
memory/4280-957-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/4280-958-0x0000000002620000-0x0000000002670000-memory.dmp

Filesize
320KB

Download