78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65

Analysis

max time kernel
142s
max time network
100s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22/04/2023, 06:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe
Size

965KB
MD5

68e8ecf8666a21e420450996221cba84
SHA1

5935636d813b5f23a15f093f517c3467131a12ed
SHA256

78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65
SHA512

4594d8e7baa3cfdc5aaf10a76d3ba930a3ed0d869b3df3364f0a22c11ca590147404925dce4cbf54c01a141277dc491a69af363ea1892922dba5a91c04cb8033
SSDEEP

24576:NyejFHCDJDnih/Zc+lj2vrUZcG2lIMt+NY/pa/:oejFHUo/ZcRv3G2lIMcNYB

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr582483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr582483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr582483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr582483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr582483.exe

Executes dropped EXE 6 IoCs

pid	Process
2248	un984147.exe
2600	un492976.exe
2648	pr582483.exe
4472	qu182466.exe
2568	rk165811.exe
3152	si216633.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr582483.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr582483.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un492976.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un492976.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	un984147.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un984147.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4328	3152	WerFault.exe	72
3932	3152	WerFault.exe	72
2892	3152	WerFault.exe	72
3080	3152	WerFault.exe	72
3644	3152	WerFault.exe	72
3496	3152	WerFault.exe	72
1432	3152	WerFault.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2648	pr582483.exe
2648	pr582483.exe
4472	qu182466.exe
4472	qu182466.exe
2568	rk165811.exe
2568	rk165811.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	pr582483.exe
Token: SeDebugPrivilege	4472	qu182466.exe
Token: SeDebugPrivilege	2568	rk165811.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2248	2072	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe	66
PID 2072 wrote to memory of 2248	2072	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe	66
PID 2072 wrote to memory of 2248	2072	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe	66
PID 2248 wrote to memory of 2600	2248	un984147.exe	67
PID 2248 wrote to memory of 2600	2248	un984147.exe	67
PID 2248 wrote to memory of 2600	2248	un984147.exe	67
PID 2600 wrote to memory of 2648	2600	un492976.exe	68
PID 2600 wrote to memory of 2648	2600	un492976.exe	68
PID 2600 wrote to memory of 2648	2600	un492976.exe	68
PID 2600 wrote to memory of 4472	2600	un492976.exe	69
PID 2600 wrote to memory of 4472	2600	un492976.exe	69
PID 2600 wrote to memory of 4472	2600	un492976.exe	69
PID 2248 wrote to memory of 2568	2248	un984147.exe	71
PID 2248 wrote to memory of 2568	2248	un984147.exe	71
PID 2248 wrote to memory of 2568	2248	un984147.exe	71
PID 2072 wrote to memory of 3152	2072	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe	72
PID 2072 wrote to memory of 3152	2072	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe	72
PID 2072 wrote to memory of 3152	2072	78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe	72

C:\Users\Admin\AppData\Local\Temp\78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe
"C:\Users\Admin\AppData\Local\Temp\78f83d8ec8e8d418ad3e485b9c8968797c1981b5e56d431487ea20c7210a0c65.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un984147.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un984147.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un492976.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un492976.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr582483.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr582483.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu182466.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu182466.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk165811.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk165811.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si216633.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si216633.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 616
    3⤵
    - Program crash
    PID:4328
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 696
    3⤵
    - Program crash
    PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 836
    3⤵
    - Program crash
    PID:2892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 824
    3⤵
    - Program crash
    PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 872
    3⤵
    - Program crash
    PID:3644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 848
    3⤵
    - Program crash
    PID:3496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 1072
    3⤵
    - Program crash
    PID:1432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si216633.exe

Filesize
278KB

MD5
7e368a944fb6ca9d40bb21e3c6618dd6

SHA1
6ddff2b72d401ccc32da31d06f06e0dd7fa03750

SHA256
59393d56c325b068eadded4908825d26ac0aa5981a533838ee5c0822fba8db4c

SHA512
11fabc4c117dd8422ff5f2cc2c2aeb106fd513def5fc2e7ce5b87d1ef039f980a835c0bbaf7ade14a936bd4e0f3730a4f0d14edb679d848883b8c752c5720776

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si216633.exe

Filesize
278KB

MD5
7e368a944fb6ca9d40bb21e3c6618dd6

SHA1
6ddff2b72d401ccc32da31d06f06e0dd7fa03750

SHA256
59393d56c325b068eadded4908825d26ac0aa5981a533838ee5c0822fba8db4c

SHA512
11fabc4c117dd8422ff5f2cc2c2aeb106fd513def5fc2e7ce5b87d1ef039f980a835c0bbaf7ade14a936bd4e0f3730a4f0d14edb679d848883b8c752c5720776

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un984147.exe

Filesize
706KB

MD5
0fce1731859fe99a974401dd575191b4

SHA1
e4b0c362523e4208020ea8081c881ff02a727ecf

SHA256
767cef07dd5f4dec675b0f07e912ab063926cc6e3fe0cd6feecade79cb090aa6

SHA512
ebb16cb47fda8570f66a3bdf71f065fa3544f30e0b6c51ab32468693c19df614feba6b711f5fffefba930c121e60674d7edfd5ac5d90d5beaf8b03b64de32b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un984147.exe

Filesize
706KB

MD5
0fce1731859fe99a974401dd575191b4

SHA1
e4b0c362523e4208020ea8081c881ff02a727ecf

SHA256
767cef07dd5f4dec675b0f07e912ab063926cc6e3fe0cd6feecade79cb090aa6

SHA512
ebb16cb47fda8570f66a3bdf71f065fa3544f30e0b6c51ab32468693c19df614feba6b711f5fffefba930c121e60674d7edfd5ac5d90d5beaf8b03b64de32b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk165811.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk165811.exe

Filesize
136KB

MD5
9c75a048f066d01b19ed80dc6e7a7101

SHA1
7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

SHA256
c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

SHA512
b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un492976.exe

Filesize
552KB

MD5
49cd106e29e8e314d65caf3814068e26

SHA1
cc0edfa63a2b27e3cf257869723962819aefa024

SHA256
ab423caf8b48ee226db766e8f23f628350e3a8aeff84bfa88e7777a5e2a7de43

SHA512
acddd16efd9dee214f6a83e5179734997846139a23e677549ad33c0d140c9da8fc5a4af7eb6d2d2a8c2772638ffefb554d00783ba7788f36bc2e4f9433cd702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un492976.exe

Filesize
552KB

MD5
49cd106e29e8e314d65caf3814068e26

SHA1
cc0edfa63a2b27e3cf257869723962819aefa024

SHA256
ab423caf8b48ee226db766e8f23f628350e3a8aeff84bfa88e7777a5e2a7de43

SHA512
acddd16efd9dee214f6a83e5179734997846139a23e677549ad33c0d140c9da8fc5a4af7eb6d2d2a8c2772638ffefb554d00783ba7788f36bc2e4f9433cd702f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr582483.exe

Filesize
299KB

MD5
2de877336c42c375fe463165c2c1c193

SHA1
d7390c201d7d66436ec92a6498ff8e034cf4e7d2

SHA256
155cf9524ec667392cca192eac96941336ff70145c877a914ba41655ecdf7874

SHA512
483c6ff91255e2ad528fdba1eb1487b2954076ee5a13a1dd0e8789a97c25cc0b3fb5cde9e6d40710b1a9dc2cefcd271fe4a4e810a02428984b3c07d71b4e4f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr582483.exe

Filesize
299KB

MD5
2de877336c42c375fe463165c2c1c193

SHA1
d7390c201d7d66436ec92a6498ff8e034cf4e7d2

SHA256
155cf9524ec667392cca192eac96941336ff70145c877a914ba41655ecdf7874

SHA512
483c6ff91255e2ad528fdba1eb1487b2954076ee5a13a1dd0e8789a97c25cc0b3fb5cde9e6d40710b1a9dc2cefcd271fe4a4e810a02428984b3c07d71b4e4f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu182466.exe

Filesize
382KB

MD5
868b30615e6dbf7d7b1c6fb1323de435

SHA1
5ba829e645113e3c7455f7f22c47485f001c0084

SHA256
cf7997fe63cc3ca5b60e609f756d3252d371e6fc13948468957d83277b61f165

SHA512
e37737e3198b87c0cce9bf85ae5f71a97638ffdc6461625586939663cf726b16d30bc1d05b36edbcd117574c5ae5a3e9985344a116319d25a97987929b14d5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu182466.exe

Filesize
382KB

MD5
868b30615e6dbf7d7b1c6fb1323de435

SHA1
5ba829e645113e3c7455f7f22c47485f001c0084

SHA256
cf7997fe63cc3ca5b60e609f756d3252d371e6fc13948468957d83277b61f165

SHA512
e37737e3198b87c0cce9bf85ae5f71a97638ffdc6461625586939663cf726b16d30bc1d05b36edbcd117574c5ae5a3e9985344a116319d25a97987929b14d5da

Download Submit
memory/2568-1004-0x00000000005A0000-0x00000000005C8000-memory.dmp

Filesize
160KB

Download
memory/2568-1006-0x0000000007620000-0x0000000007630000-memory.dmp

Filesize
64KB

Download
memory/2568-1005-0x0000000007320000-0x000000000736B000-memory.dmp

Filesize
300KB

Download
memory/2648-153-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-169-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-147-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2648-150-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-151-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-148-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2648-155-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-157-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-159-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-161-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-163-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-165-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-167-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-149-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2648-171-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-173-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-175-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-177-0x00000000070F0000-0x0000000007102000-memory.dmp

Filesize
72KB

Download
memory/2648-178-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/2648-179-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2648-180-0x0000000007250000-0x0000000007260000-memory.dmp

Filesize
64KB

Download
memory/2648-182-0x0000000000400000-0x0000000002BB5000-memory.dmp

Filesize
39.7MB

Download
memory/2648-143-0x0000000004C00000-0x0000000004C1A000-memory.dmp

Filesize
104KB

Download
memory/2648-146-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/2648-145-0x00000000070F0000-0x0000000007108000-memory.dmp

Filesize
96KB

Download
memory/2648-144-0x0000000007260000-0x000000000775E000-memory.dmp

Filesize
5.0MB

Download
memory/3152-1012-0x0000000002C80000-0x0000000002CB5000-memory.dmp

Filesize
212KB

Download
memory/4472-188-0x0000000007150000-0x000000000718A000-memory.dmp

Filesize
232KB

Download
memory/4472-196-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-198-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-200-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-202-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-204-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-206-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-208-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-210-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-212-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-214-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-216-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-218-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-220-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-222-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-312-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/4472-314-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4472-315-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4472-318-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4472-985-0x0000000009C60000-0x000000000A266000-memory.dmp

Filesize
6.0MB

Download
memory/4472-986-0x0000000007270000-0x0000000007282000-memory.dmp

Filesize
72KB

Download
memory/4472-987-0x000000000A270000-0x000000000A37A000-memory.dmp

Filesize
1.0MB

Download
memory/4472-988-0x000000000A380000-0x000000000A3BE000-memory.dmp

Filesize
248KB

Download
memory/4472-989-0x00000000072D0000-0x00000000072E0000-memory.dmp

Filesize
64KB

Download
memory/4472-990-0x000000000A3E0000-0x000000000A42B000-memory.dmp

Filesize
300KB

Download
memory/4472-991-0x000000000A670000-0x000000000A6D6000-memory.dmp

Filesize
408KB

Download
memory/4472-992-0x000000000AD20000-0x000000000ADB2000-memory.dmp

Filesize
584KB

Download
memory/4472-993-0x000000000AED0000-0x000000000AF46000-memory.dmp

Filesize
472KB

Download
memory/4472-994-0x000000000AF90000-0x000000000AFAE000-memory.dmp

Filesize
120KB

Download
memory/4472-194-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-189-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-192-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-190-0x0000000007150000-0x0000000007185000-memory.dmp

Filesize
212KB

Download
memory/4472-187-0x0000000004B40000-0x0000000004B7C000-memory.dmp

Filesize
240KB

Download
memory/4472-996-0x000000000B060000-0x000000000B222000-memory.dmp

Filesize
1.8MB

Download
memory/4472-997-0x000000000B230000-0x000000000B75C000-memory.dmp

Filesize
5.2MB

Download
memory/4472-998-0x0000000004930000-0x0000000004980000-memory.dmp

Filesize
320KB

Download