873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293

Analysis

max time kernel
145s
max time network
147s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2023 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe
Size

1.1MB
MD5

9a1825d61ac5282d57733891d4899a70
SHA1

f51a9a0e3df977ff3efb83ae24e9b9c9ab34b969
SHA256

873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293
SHA512

3cdc089e02bdc500628b567528311f38d4ce0b74bb09e1f03805d676f4b54332bacfd80eac43e294b12ee2b4972b4bacb257065853384b42531a4f05b379ec91
SSDEEP

24576:Py4aB9FWZbbJ2NX/2aL2FLYP3T+eCfyUf9:a489FvRcLYr+5Ka

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr878972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr878972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr878972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr878972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr878972.exe

Executes dropped EXE 6 IoCs

pid	Process
4272	un899480.exe
4624	un884603.exe
4008	pr878972.exe
3880	qu038449.exe
4664	rk480800.exe
4876	si949256.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr878972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr878972.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un884603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un884603.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un899480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un899480.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2068	4876	WerFault.exe	72
2252	4876	WerFault.exe	72
5012	4876	WerFault.exe	72
5016	4876	WerFault.exe	72
5048	4876	WerFault.exe	72
4480	4876	WerFault.exe	72
3780	4876	WerFault.exe	72
4504	4876	WerFault.exe	72
4440	4876	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4008	pr878972.exe
4008	pr878972.exe
3880	qu038449.exe
3880	qu038449.exe
4664	rk480800.exe
4664	rk480800.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	pr878972.exe
Token: SeDebugPrivilege	3880	qu038449.exe
Token: SeDebugPrivilege	4664	rk480800.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4876	si949256.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4272	3628	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe	66
PID 3628 wrote to memory of 4272	3628	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe	66
PID 3628 wrote to memory of 4272	3628	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe	66
PID 4272 wrote to memory of 4624	4272	un899480.exe	67
PID 4272 wrote to memory of 4624	4272	un899480.exe	67
PID 4272 wrote to memory of 4624	4272	un899480.exe	67
PID 4624 wrote to memory of 4008	4624	un884603.exe	68
PID 4624 wrote to memory of 4008	4624	un884603.exe	68
PID 4624 wrote to memory of 4008	4624	un884603.exe	68
PID 4624 wrote to memory of 3880	4624	un884603.exe	69
PID 4624 wrote to memory of 3880	4624	un884603.exe	69
PID 4624 wrote to memory of 3880	4624	un884603.exe	69
PID 4272 wrote to memory of 4664	4272	un899480.exe	71
PID 4272 wrote to memory of 4664	4272	un899480.exe	71
PID 4272 wrote to memory of 4664	4272	un899480.exe	71
PID 3628 wrote to memory of 4876	3628	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe	72
PID 3628 wrote to memory of 4876	3628	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe	72
PID 3628 wrote to memory of 4876	3628	873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe	72

C:\Users\Admin\AppData\Local\Temp\873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe
"C:\Users\Admin\AppData\Local\Temp\873d980aad254e5a6c8834ecaf8f86f2e16e304ca4694dd834091449aab72293.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899480.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899480.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884603.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884603.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr878972.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr878972.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu038449.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu038449.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk480800.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk480800.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949256.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949256.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 624
    3⤵
    - Program crash
    PID:2068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 704
    3⤵
    - Program crash
    PID:2252
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 844
    3⤵
    - Program crash
    PID:5012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 852
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 892
    3⤵
    - Program crash
    PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 944
    3⤵
    - Program crash
    PID:4480
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1132
    3⤵
    - Program crash
    PID:3780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1192
    3⤵
    - Program crash
    PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1212
    3⤵
    - Program crash
    PID:4440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949256.exe

Filesize
384KB

MD5
2260e82d6067061424f914abb350566b

SHA1
d42f41abe813b39acc13a43ad429345278dbcaf2

SHA256
187b986d6700aa56318994c3c1d1ae2af6ba9eead13843f53e28b5f4e5213478

SHA512
874e760c062abbcd60e5832c7bc1b5d5fec389fde5dc7f8d4b9d660224f6c705b376249fc0896b01245a4ec427a98ab774901078b93d32d11a062cf138ffcfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si949256.exe

Filesize
384KB

MD5
2260e82d6067061424f914abb350566b

SHA1
d42f41abe813b39acc13a43ad429345278dbcaf2

SHA256
187b986d6700aa56318994c3c1d1ae2af6ba9eead13843f53e28b5f4e5213478

SHA512
874e760c062abbcd60e5832c7bc1b5d5fec389fde5dc7f8d4b9d660224f6c705b376249fc0896b01245a4ec427a98ab774901078b93d32d11a062cf138ffcfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899480.exe

Filesize
763KB

MD5
ef5c4de5e81523cf38484e34ffe4c916

SHA1
cb3b305ca7170a58bec76af8ed730248cd743903

SHA256
aa8d1974c527879edc4ee7c6cb5721b393972d2e272ab70476fbc1fda3b0a525

SHA512
0a2038a8e0f326802537e6d050ba7d1288cf7ef670d4794a0c13ee262f829ca5d678c345647571c89b76ea675e46e67bd3b0361c9854b844e54bbf2218dac09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un899480.exe

Filesize
763KB

MD5
ef5c4de5e81523cf38484e34ffe4c916

SHA1
cb3b305ca7170a58bec76af8ed730248cd743903

SHA256
aa8d1974c527879edc4ee7c6cb5721b393972d2e272ab70476fbc1fda3b0a525

SHA512
0a2038a8e0f326802537e6d050ba7d1288cf7ef670d4794a0c13ee262f829ca5d678c345647571c89b76ea675e46e67bd3b0361c9854b844e54bbf2218dac09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk480800.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk480800.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884603.exe

Filesize
609KB

MD5
a3e2d3031c75827070ddd0b0065ad74a

SHA1
10d915c1524dec07a0f4c16131e1d01743d6ed83

SHA256
fbde7ec87b2001d704d8beac109e30db472c72dae37f81cf25956fa4e61643d8

SHA512
587be6882d038cfa4c381ae6a178a88eea96de944e9657adad2f1e3a66f93403ef7e92aa0e3683c2399939bd8ba4caa128aa0dac40964db5da23880511cc4076

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un884603.exe

Filesize
609KB

MD5
a3e2d3031c75827070ddd0b0065ad74a

SHA1
10d915c1524dec07a0f4c16131e1d01743d6ed83

SHA256
fbde7ec87b2001d704d8beac109e30db472c72dae37f81cf25956fa4e61643d8

SHA512
587be6882d038cfa4c381ae6a178a88eea96de944e9657adad2f1e3a66f93403ef7e92aa0e3683c2399939bd8ba4caa128aa0dac40964db5da23880511cc4076

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr878972.exe

Filesize
406KB

MD5
44d222e66d7fea887f75c6bd44ffaadb

SHA1
83af154aea762a51f9fa95c83ac366c019622c49

SHA256
a14d9da99dc03658056c9329962a22bf159656644a5ae3f6c3b2d52da91f52c6

SHA512
de12c6b0178d74f15cd592d3a1b958b74af55f2d86452f0416a4e95c60d5c215318f7baf48b1fd4ea4f8dea7d5a65e03981bddc64696fc081f2173554f20d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr878972.exe

Filesize
406KB

MD5
44d222e66d7fea887f75c6bd44ffaadb

SHA1
83af154aea762a51f9fa95c83ac366c019622c49

SHA256
a14d9da99dc03658056c9329962a22bf159656644a5ae3f6c3b2d52da91f52c6

SHA512
de12c6b0178d74f15cd592d3a1b958b74af55f2d86452f0416a4e95c60d5c215318f7baf48b1fd4ea4f8dea7d5a65e03981bddc64696fc081f2173554f20d2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu038449.exe

Filesize
487KB

MD5
9d31b83529f2e8eb49659fc292263192

SHA1
9065cfa0fd5d90f6917e9e3f7d5e2ae84b654930

SHA256
80d133f07e84be2978fbdb9820674a352713b7ced4f6af92a405147342ea98a8

SHA512
fa3ea1d4432f4a202eaae71a4523be3b6e03c581c180a4bcb1beaa99453df7a09d194c43a7ba947a3255803423cab8ef3f4f289dc12ccfcfb2124357883d2287

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu038449.exe

Filesize
487KB

MD5
9d31b83529f2e8eb49659fc292263192

SHA1
9065cfa0fd5d90f6917e9e3f7d5e2ae84b654930

SHA256
80d133f07e84be2978fbdb9820674a352713b7ced4f6af92a405147342ea98a8

SHA512
fa3ea1d4432f4a202eaae71a4523be3b6e03c581c180a4bcb1beaa99453df7a09d194c43a7ba947a3255803423cab8ef3f4f289dc12ccfcfb2124357883d2287

Download Submit
memory/3880-986-0x0000000007850000-0x0000000007862000-memory.dmp

Filesize
72KB

Download
memory/3880-988-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3880-997-0x00000000027E0000-0x0000000002830000-memory.dmp

Filesize
320KB

Download
memory/3880-996-0x0000000009330000-0x000000000934E000-memory.dmp

Filesize
120KB

Download
memory/3880-995-0x0000000008CE0000-0x000000000920C000-memory.dmp

Filesize
5.2MB

Download
memory/3880-994-0x0000000008B00000-0x0000000008CC2000-memory.dmp

Filesize
1.8MB

Download
memory/3880-993-0x0000000008A40000-0x0000000008AB6000-memory.dmp

Filesize
472KB

Download
memory/3880-992-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/3880-991-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/3880-990-0x0000000007A20000-0x0000000007A6B000-memory.dmp

Filesize
300KB

Download
memory/3880-989-0x00000000079A0000-0x00000000079DE000-memory.dmp

Filesize
248KB

Download
memory/3880-987-0x0000000007880000-0x000000000798A000-memory.dmp

Filesize
1.0MB

Download
memory/3880-985-0x0000000007E20000-0x0000000008426000-memory.dmp

Filesize
6.0MB

Download
memory/3880-226-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-224-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-222-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-220-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-218-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-216-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-214-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-212-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-210-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-208-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-187-0x0000000000B20000-0x0000000000B5C000-memory.dmp

Filesize
240KB

Download
memory/3880-188-0x0000000002580000-0x00000000025BA000-memory.dmp

Filesize
232KB

Download
memory/3880-190-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-189-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-192-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-194-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-196-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-199-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3880-197-0x00000000008F0000-0x0000000000936000-memory.dmp

Filesize
280KB

Download
memory/3880-201-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-204-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-206-0x0000000002580000-0x00000000025B5000-memory.dmp

Filesize
212KB

Download
memory/3880-202-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/3880-200-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/4008-166-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-150-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-147-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4008-180-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4008-179-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4008-178-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4008-177-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4008-176-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-174-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-172-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-170-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-146-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4008-168-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-148-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/4008-182-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4008-164-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-149-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-160-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-158-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-156-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-154-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-152-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-162-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/4008-145-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4008-144-0x00000000025C0000-0x00000000025D8000-memory.dmp

Filesize
96KB

Download
memory/4008-142-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

Filesize
104KB

Download
memory/4008-143-0x00000000050F0000-0x00000000055EE000-memory.dmp

Filesize
5.0MB

Download
memory/4664-1005-0x0000000007620000-0x0000000007630000-memory.dmp

Filesize
64KB

Download
memory/4664-1004-0x0000000007670000-0x00000000076BB000-memory.dmp

Filesize
300KB

Download
memory/4664-1003-0x00000000008E0000-0x0000000000908000-memory.dmp

Filesize
160KB

Download
memory/4876-1011-0x00000000008E0000-0x0000000000915000-memory.dmp

Filesize
212KB

Download