9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c

Analysis

max time kernel
149s
max time network
96s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/04/2023, 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe
Size

1.1MB
MD5

639117d9498d62ea296504f8b721bc35
SHA1

df173162b4898f4795eb538c28f83b9af7b57424
SHA256

9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c
SHA512

df43e6c8731d1c3beef7f90224f71598d68f4b21f904ca55cce80f734aafa11b55ff52f19ce10c84a6b75e328a448f834a6b3706e31f0d0ed2f65f96226bf8f3
SSDEEP

24576:2yEkCZxXj71GefLLeyChV5i17P8qm4jCyfHfXFpA5tSynSSvvOJnw:FEkEQuLeBi17PGVUNpyPnSS6n

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr929426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr929426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr929426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr929426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr929426.exe

Executes dropped EXE 6 IoCs

pid	Process
4100	un990998.exe
2572	un005127.exe
4292	pr929426.exe
3700	qu692183.exe
4352	rk198729.exe
3084	si828582.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr929426.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr929426.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un005127.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un005127.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un990998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un990998.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3716	3084	WerFault.exe	72
4292	3084	WerFault.exe	72
2552	3084	WerFault.exe	72
4824	3084	WerFault.exe	72
1516	3084	WerFault.exe	72
1192	3084	WerFault.exe	72
4832	3084	WerFault.exe	72
2864	3084	WerFault.exe	72
4828	3084	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4292	pr929426.exe
4292	pr929426.exe
3700	qu692183.exe
3700	qu692183.exe
4352	rk198729.exe
4352	rk198729.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	pr929426.exe
Token: SeDebugPrivilege	3700	qu692183.exe
Token: SeDebugPrivilege	4352	rk198729.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3084	si828582.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 4100	1432	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe	66
PID 1432 wrote to memory of 4100	1432	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe	66
PID 1432 wrote to memory of 4100	1432	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe	66
PID 4100 wrote to memory of 2572	4100	un990998.exe	67
PID 4100 wrote to memory of 2572	4100	un990998.exe	67
PID 4100 wrote to memory of 2572	4100	un990998.exe	67
PID 2572 wrote to memory of 4292	2572	un005127.exe	68
PID 2572 wrote to memory of 4292	2572	un005127.exe	68
PID 2572 wrote to memory of 4292	2572	un005127.exe	68
PID 2572 wrote to memory of 3700	2572	un005127.exe	69
PID 2572 wrote to memory of 3700	2572	un005127.exe	69
PID 2572 wrote to memory of 3700	2572	un005127.exe	69
PID 4100 wrote to memory of 4352	4100	un990998.exe	71
PID 4100 wrote to memory of 4352	4100	un990998.exe	71
PID 4100 wrote to memory of 4352	4100	un990998.exe	71
PID 1432 wrote to memory of 3084	1432	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe	72
PID 1432 wrote to memory of 3084	1432	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe	72
PID 1432 wrote to memory of 3084	1432	9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe	72

C:\Users\Admin\AppData\Local\Temp\9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe
"C:\Users\Admin\AppData\Local\Temp\9da8daffff2ae95eee15952c781e8a3bdb215a9b0b617d5ec6cfd61d37cbbf0c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un990998.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un990998.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un005127.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un005127.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr929426.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr929426.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692183.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692183.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3700
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk198729.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk198729.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828582.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828582.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 620
    3⤵
    - Program crash
    PID:3716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 700
    3⤵
    - Program crash
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 800
    3⤵
    - Program crash
    PID:2552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 848
    3⤵
    - Program crash
    PID:4824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 884
    3⤵
    - Program crash
    PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 860
    3⤵
    - Program crash
    PID:1192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1124
    3⤵
    - Program crash
    PID:4832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1156
    3⤵
    - Program crash
    PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1212
    3⤵
    - Program crash
    PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828582.exe

Filesize
384KB

MD5
32eaf6fcd16a6abc71b4d4b230fb212e

SHA1
b434a963181403fe25aa788c1d1c99eefae15828

SHA256
b712dd73d4a16c100e7edcd4700ea1d72b3d2f19c19e3541344286ed42369534

SHA512
9fc3f11e99c34582b7f6ef208d62856b8a7e64dc23b4f972631a6940c05161832f5f9dc61dd62d5099d15e1010e3d66f16482e284da9ba96df1bbd525dd49fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si828582.exe

Filesize
384KB

MD5
32eaf6fcd16a6abc71b4d4b230fb212e

SHA1
b434a963181403fe25aa788c1d1c99eefae15828

SHA256
b712dd73d4a16c100e7edcd4700ea1d72b3d2f19c19e3541344286ed42369534

SHA512
9fc3f11e99c34582b7f6ef208d62856b8a7e64dc23b4f972631a6940c05161832f5f9dc61dd62d5099d15e1010e3d66f16482e284da9ba96df1bbd525dd49fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un990998.exe

Filesize
764KB

MD5
51db1900702cfdeb236927b8e976454c

SHA1
0ef257b5432cc23844aae64e3f2ac156a8448ac8

SHA256
9f012d899de649c084a0b99e07c4ffea19723247716081c69f0513a4e7f357ca

SHA512
5ec2374eaf9ac4b63c369e953d925df95d8c490723ac05ff84db19db958bd977d7a1db82a05e424992926ecc36105a841590ac74a7f05e763befeb9b10a327be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un990998.exe

Filesize
764KB

MD5
51db1900702cfdeb236927b8e976454c

SHA1
0ef257b5432cc23844aae64e3f2ac156a8448ac8

SHA256
9f012d899de649c084a0b99e07c4ffea19723247716081c69f0513a4e7f357ca

SHA512
5ec2374eaf9ac4b63c369e953d925df95d8c490723ac05ff84db19db958bd977d7a1db82a05e424992926ecc36105a841590ac74a7f05e763befeb9b10a327be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk198729.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk198729.exe

Filesize
136KB

MD5
86810f340795831f3c2bd147981be929

SHA1
573345e2c322720fa43f74d761ff1d48028f36c9

SHA256
d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

SHA512
c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un005127.exe

Filesize
610KB

MD5
862610746b4f7f4263b755d6b13e8861

SHA1
8bb277df78852456146588a1c238937c5c7437c5

SHA256
7e7c70a47ee5ba10f7e472bb4e8b1e91182090799d6e0e2781587b4a719fae3a

SHA512
476718ede5d26989a94663b361e3521a6afa38c15153d2117050f01299d288350b7fcdc2dfd45dee430b9cbb109abb7750916faab646bded1394bd47b15f0a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un005127.exe

Filesize
610KB

MD5
862610746b4f7f4263b755d6b13e8861

SHA1
8bb277df78852456146588a1c238937c5c7437c5

SHA256
7e7c70a47ee5ba10f7e472bb4e8b1e91182090799d6e0e2781587b4a719fae3a

SHA512
476718ede5d26989a94663b361e3521a6afa38c15153d2117050f01299d288350b7fcdc2dfd45dee430b9cbb109abb7750916faab646bded1394bd47b15f0a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr929426.exe

Filesize
405KB

MD5
704814698b3a50be02f6f94aa2c262ff

SHA1
f366de513b6ce5b0df3e79928d46f980b5440531

SHA256
ac5a42f9c3e463a3c6798b8af422f06b0977b5329a20cb913689a5c2adf25e96

SHA512
5ee995e665df8e396a6364c8416d4307ff10e0883b45d3c0ba2a57c3477051ba5c7e817be85a15d9c3c4cb21636ddeecdc669c09b8b66bc5989bdd4e0dca3c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr929426.exe

Filesize
405KB

MD5
704814698b3a50be02f6f94aa2c262ff

SHA1
f366de513b6ce5b0df3e79928d46f980b5440531

SHA256
ac5a42f9c3e463a3c6798b8af422f06b0977b5329a20cb913689a5c2adf25e96

SHA512
5ee995e665df8e396a6364c8416d4307ff10e0883b45d3c0ba2a57c3477051ba5c7e817be85a15d9c3c4cb21636ddeecdc669c09b8b66bc5989bdd4e0dca3c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692183.exe

Filesize
488KB

MD5
3cd7225a2c0653444d4e38eb935d4808

SHA1
5da9d0921d49cd61eb560f4e911be17246618b79

SHA256
83d83c34b641e276d65f654cfb856b4a684bbdd1c9e8a578b0f23987a52569c7

SHA512
c59b7bd0307170fbdf8d133ee36340aec6fec842b25de68fc34eb01715ebc14e92157e66b0da4a843f0d1e475d6b1440ad5418ac4357d2aaf8a3f578a27b2f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu692183.exe

Filesize
488KB

MD5
3cd7225a2c0653444d4e38eb935d4808

SHA1
5da9d0921d49cd61eb560f4e911be17246618b79

SHA256
83d83c34b641e276d65f654cfb856b4a684bbdd1c9e8a578b0f23987a52569c7

SHA512
c59b7bd0307170fbdf8d133ee36340aec6fec842b25de68fc34eb01715ebc14e92157e66b0da4a843f0d1e475d6b1440ad5418ac4357d2aaf8a3f578a27b2f68

Download Submit
memory/3084-1007-0x0000000000810000-0x0000000000845000-memory.dmp

Filesize
212KB

Download
memory/3700-981-0x0000000007850000-0x0000000007E56000-memory.dmp

Filesize
6.0MB

Download
memory/3700-986-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3700-993-0x0000000008ED0000-0x00000000093FC000-memory.dmp

Filesize
5.2MB

Download
memory/3700-992-0x0000000008CF0000-0x0000000008EB2000-memory.dmp

Filesize
1.8MB

Download
memory/3700-991-0x0000000008B40000-0x0000000008B5E000-memory.dmp

Filesize
120KB

Download
memory/3700-990-0x0000000008A90000-0x0000000008B06000-memory.dmp

Filesize
472KB

Download
memory/3700-989-0x0000000008A20000-0x0000000008A70000-memory.dmp

Filesize
320KB

Download
memory/3700-988-0x0000000008980000-0x0000000008A12000-memory.dmp

Filesize
584KB

Download
memory/3700-987-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/3700-985-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/3700-984-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/3700-983-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/3700-982-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/3700-295-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3700-293-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3700-292-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/3700-291-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/3700-183-0x00000000028F0000-0x000000000292C000-memory.dmp

Filesize
240KB

Download
memory/3700-184-0x0000000004DC0000-0x0000000004DFA000-memory.dmp

Filesize
232KB

Download
memory/3700-185-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-186-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-188-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-190-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-192-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-194-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-196-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-198-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-202-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-200-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-204-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-206-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-208-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-210-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-212-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-214-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-216-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/3700-218-0x0000000004DC0000-0x0000000004DF5000-memory.dmp

Filesize
212KB

Download
memory/4292-163-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-165-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-178-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4292-176-0x0000000000400000-0x000000000080A000-memory.dmp

Filesize
4.0MB

Download
memory/4292-148-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-175-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-173-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-171-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-169-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-153-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-167-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-145-0x0000000002540000-0x000000000255A000-memory.dmp

Filesize
104KB

Download
memory/4292-151-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-159-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-149-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-157-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-155-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4292-147-0x00000000025B0000-0x00000000025C8000-memory.dmp

Filesize
96KB

Download
memory/4292-146-0x0000000004EC0000-0x00000000053BE000-memory.dmp

Filesize
5.0MB

Download
memory/4292-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4292-144-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/4292-161-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download
memory/4352-1001-0x00000000078B0000-0x00000000078C0000-memory.dmp

Filesize
64KB

Download
memory/4352-1000-0x00000000075A0000-0x00000000075EB000-memory.dmp

Filesize
300KB

Download
memory/4352-999-0x0000000000820000-0x0000000000848000-memory.dmp

Filesize
160KB

Download