88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3

Analysis

max time kernel
146s
max time network
93s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-04-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe
Size

1.0MB
MD5

6b199acec7ccf52671ffb278832a2aa8
SHA1

caf1ef2a22ec776a9d1f1d9d4d0ab40371a3db40
SHA256

88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3
SHA512

c6667897b946243f3b017a8d447db193daca00bddb5f8dc3fa5ffac1d5fd810a1a73556902a3951b8405f9bf7e15a4627736b4ef6da48bbfb7db2a850100a976
SSDEEP

24576:RyoTN5tuc8Stp5OtBUG8VCEPMXjiavKGN3Oi853Oud6:EoT/Ic8+56SG8B+lheBd

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr912126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr912126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr912126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr912126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr912126.exe

Executes dropped EXE 6 IoCs

pid	Process
364	un700717.exe
3504	un439813.exe
4036	pr912126.exe
4804	qu817651.exe
1504	rk015794.exe
4092	si247762.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr912126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr912126.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un700717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un700717.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un439813.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un439813.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3684	4092	WerFault.exe	72
4724	4092	WerFault.exe	72
4744	4092	WerFault.exe	72
4420	4092	WerFault.exe	72
4036	4092	WerFault.exe	72
2564	4092	WerFault.exe	72
1256	4092	WerFault.exe	72
2960	4092	WerFault.exe	72
4748	4092	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4036	pr912126.exe
4036	pr912126.exe
4804	qu817651.exe
4804	qu817651.exe
1504	rk015794.exe
1504	rk015794.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4036	pr912126.exe
Token: SeDebugPrivilege	4804	qu817651.exe
Token: SeDebugPrivilege	1504	rk015794.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4092	si247762.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 364	1596	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe	66
PID 1596 wrote to memory of 364	1596	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe	66
PID 1596 wrote to memory of 364	1596	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe	66
PID 364 wrote to memory of 3504	364	un700717.exe	67
PID 364 wrote to memory of 3504	364	un700717.exe	67
PID 364 wrote to memory of 3504	364	un700717.exe	67
PID 3504 wrote to memory of 4036	3504	un439813.exe	68
PID 3504 wrote to memory of 4036	3504	un439813.exe	68
PID 3504 wrote to memory of 4036	3504	un439813.exe	68
PID 3504 wrote to memory of 4804	3504	un439813.exe	69
PID 3504 wrote to memory of 4804	3504	un439813.exe	69
PID 3504 wrote to memory of 4804	3504	un439813.exe	69
PID 364 wrote to memory of 1504	364	un700717.exe	71
PID 364 wrote to memory of 1504	364	un700717.exe	71
PID 364 wrote to memory of 1504	364	un700717.exe	71
PID 1596 wrote to memory of 4092	1596	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe	72
PID 1596 wrote to memory of 4092	1596	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe	72
PID 1596 wrote to memory of 4092	1596	88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe	72

C:\Users\Admin\AppData\Local\Temp\88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe
"C:\Users\Admin\AppData\Local\Temp\88fc7bf342b4f0ef12d68c492f0b9d0b84382b2ddbc1ec8061372e946e35a6f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700717.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700717.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un439813.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un439813.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr912126.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr912126.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817651.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817651.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk015794.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk015794.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247762.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247762.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 624
    3⤵
    - Program crash
    PID:3684
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 700
    3⤵
    - Program crash
    PID:4724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 836
    3⤵
    - Program crash
    PID:4744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 844
    3⤵
    - Program crash
    PID:4420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 872
    3⤵
    - Program crash
    PID:4036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 884
    3⤵
    - Program crash
    PID:2564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1116
    3⤵
    - Program crash
    PID:1256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1144
    3⤵
    - Program crash
    PID:2960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1204
    3⤵
    - Program crash
    PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247762.exe

Filesize
367KB

MD5
10da2dc926a284b154e2eeea6450b8b7

SHA1
77543c6ccd0fc539a5ba26c3f3d1225a254df1c7

SHA256
d491f436473d6cb0c51c9c3440e7623e93c39c1f619978f6796f3b6de146a6c2

SHA512
6d5f14b7abbb7c552db1373626befe39b749ce781cea8c26ffb73f44428a907217a134ba19c6fd31ec99570bd3dae463974b0836f51b6600d9be5b3b5b185103

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si247762.exe

Filesize
367KB

MD5
10da2dc926a284b154e2eeea6450b8b7

SHA1
77543c6ccd0fc539a5ba26c3f3d1225a254df1c7

SHA256
d491f436473d6cb0c51c9c3440e7623e93c39c1f619978f6796f3b6de146a6c2

SHA512
6d5f14b7abbb7c552db1373626befe39b749ce781cea8c26ffb73f44428a907217a134ba19c6fd31ec99570bd3dae463974b0836f51b6600d9be5b3b5b185103

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700717.exe

Filesize
750KB

MD5
dcda5d88489e639cbb8cef0e1e9a3c93

SHA1
a441b38aeeeb5b8766a6bfbcbcce1c9701301e61

SHA256
26f1b9004f18206c8b6ce21d70303cb07acfae93700186641937d20ac85b6b4e

SHA512
cf88a4809758d6cc262de0fe5849bbdce6677024676cf72e5a90f551017f529228f6a9122d2fe11db4c4542860aed4ce89c94387db071b5fdd9e4bb64191b6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un700717.exe

Filesize
750KB

MD5
dcda5d88489e639cbb8cef0e1e9a3c93

SHA1
a441b38aeeeb5b8766a6bfbcbcce1c9701301e61

SHA256
26f1b9004f18206c8b6ce21d70303cb07acfae93700186641937d20ac85b6b4e

SHA512
cf88a4809758d6cc262de0fe5849bbdce6677024676cf72e5a90f551017f529228f6a9122d2fe11db4c4542860aed4ce89c94387db071b5fdd9e4bb64191b6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk015794.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk015794.exe

Filesize
136KB

MD5
ac0ffc4fceebe7be421ae8fc8517d1bf

SHA1
fa6a6f1878e561b5401ae36422add3d34cfdf6dd

SHA256
fe0c2e45eda219cfb1d2bd132437d2412d84cbe8cc2787dd4ff710e1be5c9718

SHA512
23de94ab73fc8cf91d573870d7ac1fb6976eaed31d93e0619378ea93ac5feaf06967bc652525b584bba1b973a2c6e6075b8d7dbe3a8ddf5d569b4e80722bfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un439813.exe

Filesize
596KB

MD5
b444465560ff9e85c3c1566a9efa7583

SHA1
53ab7a3a2d00e4b60106a6a67d2c9f9c85e4555d

SHA256
fa962f535b0f756179134aa7f4747e956e87fed68aa160adea6885f7272e624e

SHA512
f75c697f9d34e41713142af04c172a3bd1defaaf6a076f6cdc0035cc607ecad29028703f0a84645c642a17073ab11ece6da658c4aa97bb211732e92dbdfed71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un439813.exe

Filesize
596KB

MD5
b444465560ff9e85c3c1566a9efa7583

SHA1
53ab7a3a2d00e4b60106a6a67d2c9f9c85e4555d

SHA256
fa962f535b0f756179134aa7f4747e956e87fed68aa160adea6885f7272e624e

SHA512
f75c697f9d34e41713142af04c172a3bd1defaaf6a076f6cdc0035cc607ecad29028703f0a84645c642a17073ab11ece6da658c4aa97bb211732e92dbdfed71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr912126.exe

Filesize
389KB

MD5
c8b1e6dc1f755dc5c4dec336b885e14a

SHA1
0abe306a9ad2e7dc2463de6f0c0d8e0960a782d0

SHA256
6c83fcc4f2c9f7ae59c6c72cc93eca5f490469561d9896e5a5d069a5ac238309

SHA512
9462dfc3b891fa3529b8ede0705fb1fe4bb374a484bb37836833a30c7cdcb98de66a31b20196fa9ad9a42aa086f33a98866d9d5f8ddeaaf7d251fb3ad64222f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr912126.exe

Filesize
389KB

MD5
c8b1e6dc1f755dc5c4dec336b885e14a

SHA1
0abe306a9ad2e7dc2463de6f0c0d8e0960a782d0

SHA256
6c83fcc4f2c9f7ae59c6c72cc93eca5f490469561d9896e5a5d069a5ac238309

SHA512
9462dfc3b891fa3529b8ede0705fb1fe4bb374a484bb37836833a30c7cdcb98de66a31b20196fa9ad9a42aa086f33a98866d9d5f8ddeaaf7d251fb3ad64222f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817651.exe

Filesize
472KB

MD5
8260f2abfd9559f833bc8b8f6208be1d

SHA1
d8aa0eeace076e6cc25b9260a559481af317e695

SHA256
a15bfd3e3281c4861c88058d7278d2e574ee67474712d4e4d1e8dff72d3ada9b

SHA512
c33f96724262b5d43169c81fad3aa0e2d8e2d3a3fae85b119571f71764a417e1e24d538dc8a80a25322e84dd9484ffdc39b033811ec3d126c0e54909038a2f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu817651.exe

Filesize
472KB

MD5
8260f2abfd9559f833bc8b8f6208be1d

SHA1
d8aa0eeace076e6cc25b9260a559481af317e695

SHA256
a15bfd3e3281c4861c88058d7278d2e574ee67474712d4e4d1e8dff72d3ada9b

SHA512
c33f96724262b5d43169c81fad3aa0e2d8e2d3a3fae85b119571f71764a417e1e24d538dc8a80a25322e84dd9484ffdc39b033811ec3d126c0e54909038a2f07

Download Submit
memory/1504-1002-0x0000000000A50000-0x0000000000A78000-memory.dmp

Filesize
160KB

Download
memory/1504-1004-0x00000000077D0000-0x00000000077E0000-memory.dmp

Filesize
64KB

Download
memory/1504-1003-0x00000000077E0000-0x000000000782B000-memory.dmp

Filesize
300KB

Download
memory/4036-151-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-167-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-147-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4036-148-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-149-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-145-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4036-153-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-155-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-157-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-159-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-161-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-163-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-165-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-146-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4036-169-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-171-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-173-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-175-0x00000000028A0000-0x00000000028B2000-memory.dmp

Filesize
72KB

Download
memory/4036-176-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/4036-177-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4036-178-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4036-179-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4036-181-0x0000000000400000-0x0000000000806000-memory.dmp

Filesize
4.0MB

Download
memory/4036-141-0x0000000002590000-0x00000000025AA000-memory.dmp

Filesize
104KB

Download
memory/4036-144-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4036-143-0x00000000028A0000-0x00000000028B8000-memory.dmp

Filesize
96KB

Download
memory/4036-142-0x0000000004ED0000-0x00000000053CE000-memory.dmp

Filesize
5.0MB

Download
memory/4092-1010-0x0000000000800000-0x0000000000835000-memory.dmp

Filesize
212KB

Download
memory/4804-188-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-195-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-197-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-199-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-201-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-203-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-205-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-207-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-209-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-211-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-213-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-215-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-217-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-219-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-221-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-470-0x0000000000820000-0x0000000000866000-memory.dmp

Filesize
280KB

Download
memory/4804-471-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4804-473-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4804-474-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4804-984-0x0000000007800000-0x0000000007E06000-memory.dmp

Filesize
6.0MB

Download
memory/4804-985-0x0000000007E60000-0x0000000007E72000-memory.dmp

Filesize
72KB

Download
memory/4804-986-0x0000000007E90000-0x0000000007F9A000-memory.dmp

Filesize
1.0MB

Download
memory/4804-987-0x0000000007FB0000-0x0000000007FEE000-memory.dmp

Filesize
248KB

Download
memory/4804-988-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4804-989-0x0000000008030000-0x000000000807B000-memory.dmp

Filesize
300KB

Download
memory/4804-990-0x00000000082C0000-0x0000000008326000-memory.dmp

Filesize
408KB

Download
memory/4804-991-0x0000000008970000-0x0000000008A02000-memory.dmp

Filesize
584KB

Download
memory/4804-992-0x0000000008A20000-0x0000000008A70000-memory.dmp

Filesize
320KB

Download
memory/4804-993-0x0000000008A90000-0x0000000008B06000-memory.dmp

Filesize
472KB

Download
memory/4804-193-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-191-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-189-0x0000000005300000-0x0000000005335000-memory.dmp

Filesize
212KB

Download
memory/4804-187-0x0000000005300000-0x000000000533A000-memory.dmp

Filesize
232KB

Download
memory/4804-186-0x0000000004D80000-0x0000000004DBC000-memory.dmp

Filesize
240KB

Download
memory/4804-994-0x0000000008C30000-0x0000000008C4E000-memory.dmp

Filesize
120KB

Download
memory/4804-995-0x0000000008D00000-0x0000000008EC2000-memory.dmp

Filesize
1.8MB

Download
memory/4804-996-0x0000000008ED0000-0x00000000093FC000-memory.dmp

Filesize
5.2MB

Download