020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f

Analysis

max time kernel
149s
max time network
96s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe
Size

1.1MB
MD5

c0245bd4963dcc9e9126a1a32c120ee6
SHA1

a550fe4ea548e806b2dcb835e8a56a39e6f3a98a
SHA256

020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f
SHA512

b3bf5b9e71da9cf61820f369b854a9f20fd8c796274c98461eb7f2bd2c02cde468520615572557ff62665e9993291aff3c7a923ec6aaf0d6fe8604e5606393b8
SSDEEP

24576:jy/Gue7ypGdX+c5OUdVPyfb8L7ZvlNVKswfpf77bc:2/Gf7dX+1UH0cMf7P

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr731450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr731450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr731450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr731450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr731450.exe

Executes dropped EXE 6 IoCs

pid	Process
2592	un601377.exe
2688	un976075.exe
4300	pr731450.exe
4876	qu945356.exe
2600	rk644538.exe
2900	si719920.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr731450.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr731450.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un601377.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un976075.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un976075.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un601377.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4656	2900	WerFault.exe	72
4752	2900	WerFault.exe	72
4840	2900	WerFault.exe	72
4836	2900	WerFault.exe	72
1408	2900	WerFault.exe	72
2804	2900	WerFault.exe	72
1008	2900	WerFault.exe	72
1512	2900	WerFault.exe	72
4040	2900	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4300	pr731450.exe
4300	pr731450.exe
4876	qu945356.exe
4876	qu945356.exe
2600	rk644538.exe
2600	rk644538.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4300	pr731450.exe
Token: SeDebugPrivilege	4876	qu945356.exe
Token: SeDebugPrivilege	2600	rk644538.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2900	si719920.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2592	1012	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe	66
PID 1012 wrote to memory of 2592	1012	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe	66
PID 1012 wrote to memory of 2592	1012	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe	66
PID 2592 wrote to memory of 2688	2592	un601377.exe	67
PID 2592 wrote to memory of 2688	2592	un601377.exe	67
PID 2592 wrote to memory of 2688	2592	un601377.exe	67
PID 2688 wrote to memory of 4300	2688	un976075.exe	68
PID 2688 wrote to memory of 4300	2688	un976075.exe	68
PID 2688 wrote to memory of 4300	2688	un976075.exe	68
PID 2688 wrote to memory of 4876	2688	un976075.exe	69
PID 2688 wrote to memory of 4876	2688	un976075.exe	69
PID 2688 wrote to memory of 4876	2688	un976075.exe	69
PID 2592 wrote to memory of 2600	2592	un601377.exe	71
PID 2592 wrote to memory of 2600	2592	un601377.exe	71
PID 2592 wrote to memory of 2600	2592	un601377.exe	71
PID 1012 wrote to memory of 2900	1012	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe	72
PID 1012 wrote to memory of 2900	1012	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe	72
PID 1012 wrote to memory of 2900	1012	020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe	72

C:\Users\Admin\AppData\Local\Temp\020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe
"C:\Users\Admin\AppData\Local\Temp\020814769e5001fb79186beb2a5d7b363742e59386485d32742537c323c23f6f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un601377.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un601377.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un976075.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un976075.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731450.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731450.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu945356.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu945356.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk644538.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk644538.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719920.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719920.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 620
    3⤵
    - Program crash
    PID:4656
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 700
    3⤵
    - Program crash
    PID:4752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 840
    3⤵
    - Program crash
    PID:4840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 828
    3⤵
    - Program crash
    PID:4836
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 888
    3⤵
    - Program crash
    PID:1408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 900
    3⤵
    - Program crash
    PID:2804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1120
    3⤵
    - Program crash
    PID:1008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1152
    3⤵
    - Program crash
    PID:1512
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1100
    3⤵
    - Program crash
    PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719920.exe

Filesize
384KB

MD5
748848be0a7ee03830cffee4f1f940ee

SHA1
1964c08936f6d36b8ef53c55e86cf3becc3cb570

SHA256
7065b11b5fc6621bbe88877d723f8e495165b483390425d03f6a53887411821c

SHA512
51f04cfda8b66a98234e346293391363341432dc80e47e3a6b4ad14ebe15842855988c25169f1475972d6ced2e1703f4526236652f0ca1199f1d657a870fad89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si719920.exe

Filesize
384KB

MD5
748848be0a7ee03830cffee4f1f940ee

SHA1
1964c08936f6d36b8ef53c55e86cf3becc3cb570

SHA256
7065b11b5fc6621bbe88877d723f8e495165b483390425d03f6a53887411821c

SHA512
51f04cfda8b66a98234e346293391363341432dc80e47e3a6b4ad14ebe15842855988c25169f1475972d6ced2e1703f4526236652f0ca1199f1d657a870fad89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un601377.exe

Filesize
765KB

MD5
31686e2790f0e246084efca3af3fbf6a

SHA1
c9a5034c2d9667730b5747c417d82f0be523d138

SHA256
2afed87e0f25c73c2bb3b675c361d5fba9f135ce34ebc70f5850899c06145c42

SHA512
6bbbfcb3507bdefe41472d7d134415d877864f5d39f1b459d65553881a4d89149ff53ded734b2bcd73f28e6fa7b8fabf5841a2fa5f460e5d06db8f526bad3689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un601377.exe

Filesize
765KB

MD5
31686e2790f0e246084efca3af3fbf6a

SHA1
c9a5034c2d9667730b5747c417d82f0be523d138

SHA256
2afed87e0f25c73c2bb3b675c361d5fba9f135ce34ebc70f5850899c06145c42

SHA512
6bbbfcb3507bdefe41472d7d134415d877864f5d39f1b459d65553881a4d89149ff53ded734b2bcd73f28e6fa7b8fabf5841a2fa5f460e5d06db8f526bad3689

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk644538.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk644538.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un976075.exe

Filesize
611KB

MD5
ed9e176470cec902da46cf363ca7076f

SHA1
5d203e4f76344fbc59c3a8d7dc2b9b5fb0edfd64

SHA256
1f6e6b36acdb7e66a07d03ba8aad4be056eeeaf06c4d8fecc020f99bcac735cd

SHA512
d10b8f0d221060d6c5f186bae3e1d5abd7a7ca59658016d933d3e99a4c26d5a7fe5b30b7d2de939a9f0a4a7dee00812382bb84e6be35ae82901c5b82adf19752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un976075.exe

Filesize
611KB

MD5
ed9e176470cec902da46cf363ca7076f

SHA1
5d203e4f76344fbc59c3a8d7dc2b9b5fb0edfd64

SHA256
1f6e6b36acdb7e66a07d03ba8aad4be056eeeaf06c4d8fecc020f99bcac735cd

SHA512
d10b8f0d221060d6c5f186bae3e1d5abd7a7ca59658016d933d3e99a4c26d5a7fe5b30b7d2de939a9f0a4a7dee00812382bb84e6be35ae82901c5b82adf19752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731450.exe

Filesize
405KB

MD5
b5410a82226fe9b37a19cd35ce6717e5

SHA1
85985672a14d962e8669d26853e4104b4569786c

SHA256
d677b9403e953225c5dd1caca86367e73df5f3be2d869db2692f6e2f053b10e5

SHA512
f5bcf5f048810d31aff54b74c5557bc8cb5b45a66e93bb5281a52c62b8e4eae3933f49aaa348f4f2794b5f570c640ce437abf96af231e0a06f6b2f400ca60a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr731450.exe

Filesize
405KB

MD5
b5410a82226fe9b37a19cd35ce6717e5

SHA1
85985672a14d962e8669d26853e4104b4569786c

SHA256
d677b9403e953225c5dd1caca86367e73df5f3be2d869db2692f6e2f053b10e5

SHA512
f5bcf5f048810d31aff54b74c5557bc8cb5b45a66e93bb5281a52c62b8e4eae3933f49aaa348f4f2794b5f570c640ce437abf96af231e0a06f6b2f400ca60a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu945356.exe

Filesize
488KB

MD5
35717380cbfb685e9fac731ff5cf5afc

SHA1
503668f10455a5a923c99361c329ff86561554fb

SHA256
a12ba0633a60409d1b57a25a41e238368b72c5065d121697436c08aaacbf9f76

SHA512
39831cf5fe64fe11660cb7becfbd6dd4db0dfd024b86649181fb0ab9fe71b7bd9c2e3e5d107b08384df7e57c94a36f1d0bc24cf54953c4fb2ee80b57fec95183

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu945356.exe

Filesize
488KB

MD5
35717380cbfb685e9fac731ff5cf5afc

SHA1
503668f10455a5a923c99361c329ff86561554fb

SHA256
a12ba0633a60409d1b57a25a41e238368b72c5065d121697436c08aaacbf9f76

SHA512
39831cf5fe64fe11660cb7becfbd6dd4db0dfd024b86649181fb0ab9fe71b7bd9c2e3e5d107b08384df7e57c94a36f1d0bc24cf54953c4fb2ee80b57fec95183

Download Submit
memory/2600-1004-0x0000000000C60000-0x0000000000C88000-memory.dmp

Filesize
160KB

Download
memory/2600-1006-0x0000000007A30000-0x0000000007A40000-memory.dmp

Filesize
64KB

Download
memory/2600-1005-0x00000000079E0000-0x0000000007A2B000-memory.dmp

Filesize
300KB

Download
memory/2900-1012-0x00000000008E0000-0x0000000000915000-memory.dmp

Filesize
212KB

Download
memory/4300-153-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-171-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-150-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-151-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-148-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4300-155-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-157-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-159-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-161-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-163-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-165-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-167-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-169-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-149-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4300-173-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-175-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-177-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4300-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4300-179-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4300-180-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4300-182-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4300-183-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4300-147-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4300-146-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4300-145-0x0000000002550000-0x0000000002568000-memory.dmp

Filesize
96KB

Download
memory/4300-144-0x0000000004E10000-0x000000000530E000-memory.dmp

Filesize
5.0MB

Download
memory/4300-143-0x00000000022F0000-0x000000000230A000-memory.dmp

Filesize
104KB

Download
memory/4876-190-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-197-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-201-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-199-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-203-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-205-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-207-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-209-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-211-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-213-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-215-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-217-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-219-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-221-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-223-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-328-0x00000000008B0000-0x00000000008F6000-memory.dmp

Filesize
280KB

Download
memory/4876-330-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/4876-331-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/4876-334-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/4876-986-0x0000000007EA0000-0x00000000084A6000-memory.dmp

Filesize
6.0MB

Download
memory/4876-987-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/4876-988-0x0000000007890000-0x000000000799A000-memory.dmp

Filesize
1.0MB

Download
memory/4876-989-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/4876-990-0x00000000079A0000-0x00000000079DE000-memory.dmp

Filesize
248KB

Download
memory/4876-991-0x0000000007B20000-0x0000000007B6B000-memory.dmp

Filesize
300KB

Download
memory/4876-992-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/4876-993-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/4876-994-0x0000000008A20000-0x0000000008A96000-memory.dmp

Filesize
472KB

Download
memory/4876-995-0x0000000008AF0000-0x0000000008B0E000-memory.dmp

Filesize
120KB

Download
memory/4876-195-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-193-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-191-0x0000000002720000-0x0000000002755000-memory.dmp

Filesize
212KB

Download
memory/4876-189-0x0000000002720000-0x000000000275A000-memory.dmp

Filesize
232KB

Download
memory/4876-188-0x0000000002460000-0x000000000249C000-memory.dmp

Filesize
240KB

Download
memory/4876-996-0x0000000008C90000-0x0000000008CE0000-memory.dmp

Filesize
320KB

Download
memory/4876-997-0x0000000008E40000-0x0000000009002000-memory.dmp

Filesize
1.8MB

Download
memory/4876-998-0x0000000009010000-0x000000000953C000-memory.dmp

Filesize
5.2MB

Download