ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d

Analysis

max time kernel
148s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe
Size

1.1MB
MD5

671ab21e0ad80abeb605a96f15c937a9
SHA1

c8d19a635508372df78da6dca2f691e526b6b2f7
SHA256

ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d
SHA512

49d4f931976b38f900da93622ebabfc560b91b0a3840a84495c57c4d38099c4f9a6798cbb50dd6efac394dde8a2eb149d5335ea0e7b4411ed00fc71687f8bfeb
SSDEEP

24576:CyWDC9gSjox/VWp1bPWgw+bBogjuoGfQN2pwzh6oE:pSSsSbPNbBogjJxNuwzh6

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr245425.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr245425.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr245425.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr245425.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr245425.exe

Executes dropped EXE 6 IoCs

pid	Process
4056	un462954.exe
4200	un555302.exe
1436	pr245425.exe
4968	qu596261.exe
2688	rk082603.exe
1612	si477224.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr245425.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr245425.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un462954.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un462954.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un555302.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un555302.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4940	1612	WerFault.exe	72
4144	1612	WerFault.exe	72
4312	1612	WerFault.exe	72
4300	1612	WerFault.exe	72
3420	1612	WerFault.exe	72
3492	1612	WerFault.exe	72
4436	1612	WerFault.exe	72
4864	1612	WerFault.exe	72
4184	1612	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1436	pr245425.exe
1436	pr245425.exe
4968	qu596261.exe
4968	qu596261.exe
2688	rk082603.exe
2688	rk082603.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	pr245425.exe
Token: SeDebugPrivilege	4968	qu596261.exe
Token: SeDebugPrivilege	2688	rk082603.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1612	si477224.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 4056	3452	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe	66
PID 3452 wrote to memory of 4056	3452	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe	66
PID 3452 wrote to memory of 4056	3452	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe	66
PID 4056 wrote to memory of 4200	4056	un462954.exe	67
PID 4056 wrote to memory of 4200	4056	un462954.exe	67
PID 4056 wrote to memory of 4200	4056	un462954.exe	67
PID 4200 wrote to memory of 1436	4200	un555302.exe	68
PID 4200 wrote to memory of 1436	4200	un555302.exe	68
PID 4200 wrote to memory of 1436	4200	un555302.exe	68
PID 4200 wrote to memory of 4968	4200	un555302.exe	69
PID 4200 wrote to memory of 4968	4200	un555302.exe	69
PID 4200 wrote to memory of 4968	4200	un555302.exe	69
PID 4056 wrote to memory of 2688	4056	un462954.exe	71
PID 4056 wrote to memory of 2688	4056	un462954.exe	71
PID 4056 wrote to memory of 2688	4056	un462954.exe	71
PID 3452 wrote to memory of 1612	3452	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe	72
PID 3452 wrote to memory of 1612	3452	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe	72
PID 3452 wrote to memory of 1612	3452	ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe	72

C:\Users\Admin\AppData\Local\Temp\ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe
"C:\Users\Admin\AppData\Local\Temp\ca639888f66899cdf8de19998daa3996ce25b4ca3f3b1242746f88f9b3e3250d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un462954.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un462954.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un555302.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un555302.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr245425.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr245425.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu596261.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu596261.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk082603.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk082603.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477224.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477224.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:1612
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 616
    3⤵
    - Program crash
    PID:4940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 696
    3⤵
    - Program crash
    PID:4144
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 796
    3⤵
    - Program crash
    PID:4312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 876
    3⤵
    - Program crash
    PID:4300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 900
    3⤵
    - Program crash
    PID:3420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 864
    3⤵
    - Program crash
    PID:3492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1116
    3⤵
    - Program crash
    PID:4436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1196
    3⤵
    - Program crash
    PID:4864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 1172
    3⤵
    - Program crash
    PID:4184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477224.exe

Filesize
384KB

MD5
b77e2daf87e81d08db79baf4a8ad5504

SHA1
53ea45616eabafce6e5ca4154819590bc29366ef

SHA256
d9bfe87ca022575fb30865d75d5f9de228e853a0230070e9aeb396435cb12bd6

SHA512
d29dabc363c6fac364d77bbb76d85051e0976618179e975d81e5e1e6d7fe802a0e4710c76e420dc9f102a7e183aff611d316f7517661cba97b2d428590ba7ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si477224.exe

Filesize
384KB

MD5
b77e2daf87e81d08db79baf4a8ad5504

SHA1
53ea45616eabafce6e5ca4154819590bc29366ef

SHA256
d9bfe87ca022575fb30865d75d5f9de228e853a0230070e9aeb396435cb12bd6

SHA512
d29dabc363c6fac364d77bbb76d85051e0976618179e975d81e5e1e6d7fe802a0e4710c76e420dc9f102a7e183aff611d316f7517661cba97b2d428590ba7ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un462954.exe

Filesize
762KB

MD5
414434a722d366492647540405bdbb59

SHA1
4321742ab7cad9dc4d8aafbfbe1dadd229ae2ce0

SHA256
70be7c7bc4859f2b4b9de1260dadaaf2e112b90bb4ecd32b8f93a02a6e90220e

SHA512
80f78ffe3c01bdf42e9ed88eb5caaf408e0a4aea261511e8deedfb88ab7ea67258e090e4b4b5da616a8e182ae46da16b3a343bbd3a59eaf50469d73b7b862c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un462954.exe

Filesize
762KB

MD5
414434a722d366492647540405bdbb59

SHA1
4321742ab7cad9dc4d8aafbfbe1dadd229ae2ce0

SHA256
70be7c7bc4859f2b4b9de1260dadaaf2e112b90bb4ecd32b8f93a02a6e90220e

SHA512
80f78ffe3c01bdf42e9ed88eb5caaf408e0a4aea261511e8deedfb88ab7ea67258e090e4b4b5da616a8e182ae46da16b3a343bbd3a59eaf50469d73b7b862c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk082603.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk082603.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un555302.exe

Filesize
608KB

MD5
8ecbeecded00dd19e18a9b4348bee8be

SHA1
b1e3ac6e532d3dc67bb5aa635be47698fd5026e1

SHA256
e64a93fe60e480d3a2d5b9cd9c40d83ac558f748353baea8bc83a35a55ae250d

SHA512
1202c3596293fa9c10ac007c2856e5d1e84acca391d5e9c470e9d6ab914d996a47b1d822ff4cf4cabddbed853f39890bb3989af12163339695e4e37180a1b1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un555302.exe

Filesize
608KB

MD5
8ecbeecded00dd19e18a9b4348bee8be

SHA1
b1e3ac6e532d3dc67bb5aa635be47698fd5026e1

SHA256
e64a93fe60e480d3a2d5b9cd9c40d83ac558f748353baea8bc83a35a55ae250d

SHA512
1202c3596293fa9c10ac007c2856e5d1e84acca391d5e9c470e9d6ab914d996a47b1d822ff4cf4cabddbed853f39890bb3989af12163339695e4e37180a1b1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr245425.exe

Filesize
405KB

MD5
06e7449097402f674c22f81d6d5152b5

SHA1
73cacfdda49e473afb299b91930e0a4218ef76ee

SHA256
bc7465c40ee1e473555f34b1e317bc611a6d1b043a680f13d5b5d29fcb36d582

SHA512
29fd7074b92b42bce755f0b6dc1585bac2c69328ddaf6480907e464f2af924a97038f99fbddfc62401fa7332a6c73bd86f2354e2b88b0141ada70067da4eb1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr245425.exe

Filesize
405KB

MD5
06e7449097402f674c22f81d6d5152b5

SHA1
73cacfdda49e473afb299b91930e0a4218ef76ee

SHA256
bc7465c40ee1e473555f34b1e317bc611a6d1b043a680f13d5b5d29fcb36d582

SHA512
29fd7074b92b42bce755f0b6dc1585bac2c69328ddaf6480907e464f2af924a97038f99fbddfc62401fa7332a6c73bd86f2354e2b88b0141ada70067da4eb1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu596261.exe

Filesize
488KB

MD5
0dcbc0f69cc2465e8487ae849fe46b4f

SHA1
6e650c31cfb680b2b36bfd942c98432979c8738e

SHA256
955cf5a3a1c70be464add9e1cc55493125d9dd8dd229e8e2e5deb023809ff1ad

SHA512
af778e7811e32f519a9a3c73e3e5345261c6992aee9bf51cbe89521449791db8f2eba79e344afae7e7ae902bd1dc256dec9717a196f7d42801806d6946f0873a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu596261.exe

Filesize
488KB

MD5
0dcbc0f69cc2465e8487ae849fe46b4f

SHA1
6e650c31cfb680b2b36bfd942c98432979c8738e

SHA256
955cf5a3a1c70be464add9e1cc55493125d9dd8dd229e8e2e5deb023809ff1ad

SHA512
af778e7811e32f519a9a3c73e3e5345261c6992aee9bf51cbe89521449791db8f2eba79e344afae7e7ae902bd1dc256dec9717a196f7d42801806d6946f0873a

Download Submit
memory/1436-157-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-181-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1436-147-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1436-148-0x0000000004EC0000-0x00000000053BE000-memory.dmp

Filesize
5.0MB

Download
memory/1436-149-0x0000000004D30000-0x0000000004D48000-memory.dmp

Filesize
96KB

Download
memory/1436-150-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-151-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-153-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-143-0x00000000024B0000-0x00000000024CA000-memory.dmp

Filesize
104KB

Download
memory/1436-155-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-165-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-163-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-173-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-177-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-175-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-171-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-169-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-167-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-161-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-159-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/1436-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/1436-179-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1436-145-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1436-144-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1436-146-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/1612-1010-0x00000000008E0000-0x0000000000915000-memory.dmp

Filesize
212KB

Download
memory/2688-1002-0x0000000000980000-0x00000000009A8000-memory.dmp

Filesize
160KB

Download
memory/2688-1003-0x0000000007740000-0x000000000778B000-memory.dmp

Filesize
300KB

Download
memory/2688-1004-0x00000000076F0000-0x0000000007700000-memory.dmp

Filesize
64KB

Download
memory/4968-188-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/4968-195-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-197-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-191-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-199-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-190-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4968-201-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-203-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-205-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-207-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-209-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-211-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-213-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-215-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-217-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-219-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-221-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-223-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-225-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-984-0x00000000077F0000-0x0000000007DF6000-memory.dmp

Filesize
6.0MB

Download
memory/4968-985-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/4968-986-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4968-987-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/4968-988-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/4968-989-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4968-990-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/4968-991-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/4968-992-0x0000000008B20000-0x0000000008B70000-memory.dmp

Filesize
320KB

Download
memory/4968-993-0x0000000008B90000-0x0000000008C06000-memory.dmp

Filesize
472KB

Download
memory/4968-193-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4968-192-0x00000000052F0000-0x0000000005325000-memory.dmp

Filesize
212KB

Download
memory/4968-189-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4968-187-0x00000000052F0000-0x000000000532A000-memory.dmp

Filesize
232KB

Download
memory/4968-186-0x0000000002630000-0x000000000266C000-memory.dmp

Filesize
240KB

Download
memory/4968-994-0x0000000008C60000-0x0000000008E22000-memory.dmp

Filesize
1.8MB

Download
memory/4968-995-0x0000000008E30000-0x000000000935C000-memory.dmp

Filesize
5.2MB

Download
memory/4968-996-0x0000000009480000-0x000000000949E000-memory.dmp

Filesize
120KB

Download