dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64

Analysis

max time kernel
171s
max time network
177s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/05/2023, 18:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe
Size

1.0MB
MD5

98057d58f21a1999aa0d63555e06e343
SHA1

d08e2e8953fdad8950b41268b5c0bc6cb9b54390
SHA256

dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64
SHA512

c5d13bb8c90ad17c416f430bc61688e701a4399a789566ed16e94366e50b79c649030df2eb60fa8446fc25af56ee7118bc8253dbf3e113b75e00d1ec6bba4f71
SSDEEP

24576:Gy5Ub1sdqff7X3+SlUSVyqtE7aNPYsA1FNFb3sxQhbXLd1w/:Vq5sdMXuSlUSVyqS7ua/3sxaTL

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	17865617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	17865617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	17865617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	17865617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	17865617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	17865617.exe

Executes dropped EXE 4 IoCs

pid	Process
1844	za048162.exe
1476	za146841.exe
1152	17865617.exe
1248	w76uo60.exe

Loads dropped DLL 10 IoCs

pid	Process
1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe
1844	za048162.exe
1844	za048162.exe
1476	za146841.exe
1476	za146841.exe
1476	za146841.exe
1152	17865617.exe
1476	za146841.exe
1476	za146841.exe
1248	w76uo60.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	17865617.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	17865617.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za048162.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za146841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za146841.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za048162.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1152	17865617.exe
1152	17865617.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	17865617.exe
Token: SeDebugPrivilege	1248	w76uo60.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1844	1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe	28
PID 1996 wrote to memory of 1844	1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe	28
PID 1996 wrote to memory of 1844	1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe	28
PID 1996 wrote to memory of 1844	1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe	28
PID 1996 wrote to memory of 1844	1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe	28
PID 1996 wrote to memory of 1844	1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe	28
PID 1996 wrote to memory of 1844	1996	dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe	28
PID 1844 wrote to memory of 1476	1844	za048162.exe	29
PID 1844 wrote to memory of 1476	1844	za048162.exe	29
PID 1844 wrote to memory of 1476	1844	za048162.exe	29
PID 1844 wrote to memory of 1476	1844	za048162.exe	29
PID 1844 wrote to memory of 1476	1844	za048162.exe	29
PID 1844 wrote to memory of 1476	1844	za048162.exe	29
PID 1844 wrote to memory of 1476	1844	za048162.exe	29
PID 1476 wrote to memory of 1152	1476	za146841.exe	30
PID 1476 wrote to memory of 1152	1476	za146841.exe	30
PID 1476 wrote to memory of 1152	1476	za146841.exe	30
PID 1476 wrote to memory of 1152	1476	za146841.exe	30
PID 1476 wrote to memory of 1152	1476	za146841.exe	30
PID 1476 wrote to memory of 1152	1476	za146841.exe	30
PID 1476 wrote to memory of 1152	1476	za146841.exe	30
PID 1476 wrote to memory of 1248	1476	za146841.exe	31
PID 1476 wrote to memory of 1248	1476	za146841.exe	31
PID 1476 wrote to memory of 1248	1476	za146841.exe	31
PID 1476 wrote to memory of 1248	1476	za146841.exe	31
PID 1476 wrote to memory of 1248	1476	za146841.exe	31
PID 1476 wrote to memory of 1248	1476	za146841.exe	31
PID 1476 wrote to memory of 1248	1476	za146841.exe	31

C:\Users\Admin\AppData\Local\Temp\dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe
"C:\Users\Admin\AppData\Local\Temp\dba8d94fa5dc1ecfb49ae5418dc3415995481eb6305f0c83841e14415e5c6e64.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za048162.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za048162.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za146841.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za146841.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za048162.exe

Filesize
775KB

MD5
050417dff37ad5156628e745f55f07e9

SHA1
4c5897eb43371f80733289775ead2d404dc662f5

SHA256
f33b7ca9d8b8c679b9a29ed1622197eaf60eadff81230ddf2c9a9b1d4c3961b3

SHA512
2d815de6b5d9fe5d5899a466c9559d039857e51b641e12e3ef131b33d1f5dfc62cc9d32c5e2befc08b026fc894872ce59fad487ce02e529e75b6e5ba040718d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za048162.exe

Filesize
775KB

MD5
050417dff37ad5156628e745f55f07e9

SHA1
4c5897eb43371f80733289775ead2d404dc662f5

SHA256
f33b7ca9d8b8c679b9a29ed1622197eaf60eadff81230ddf2c9a9b1d4c3961b3

SHA512
2d815de6b5d9fe5d5899a466c9559d039857e51b641e12e3ef131b33d1f5dfc62cc9d32c5e2befc08b026fc894872ce59fad487ce02e529e75b6e5ba040718d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za146841.exe

Filesize
593KB

MD5
393c8f32f5fecd54ee382d5aa7aedfe3

SHA1
785c06a93f694495c033c10e712747c2908d77d9

SHA256
70215f7718c4d93090574d81ec231159e0a8cb20734a8b9fb2ca5abac73aeacc

SHA512
9e52ad9d9663bbf09292b916310cffbe6f565a655b766e214e3d68f80b1e9d1086c35ef9347a88a9c5ae923c34c9e9c94f9896bc563461b43c8212660655333b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za146841.exe

Filesize
593KB

MD5
393c8f32f5fecd54ee382d5aa7aedfe3

SHA1
785c06a93f694495c033c10e712747c2908d77d9

SHA256
70215f7718c4d93090574d81ec231159e0a8cb20734a8b9fb2ca5abac73aeacc

SHA512
9e52ad9d9663bbf09292b916310cffbe6f565a655b766e214e3d68f80b1e9d1086c35ef9347a88a9c5ae923c34c9e9c94f9896bc563461b43c8212660655333b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe

Filesize
377KB

MD5
219130e23740cd06f700d41038a4e5bc

SHA1
56cc94b05e159c29af3f813ccab341c5ada92025

SHA256
3c03d0dfe8bf39412040dcd1b9ab981619fbea44efa90e798d5013bd8c85466c

SHA512
6cdb1d70af7aca962b5ec8aca39cdf6871799ae910a87a322035bbecb96fd40d4f9bc048dce66a67c2d9f421d5701b71d8d26794a3becc4d1f5ce822793fe6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe

Filesize
377KB

MD5
219130e23740cd06f700d41038a4e5bc

SHA1
56cc94b05e159c29af3f813ccab341c5ada92025

SHA256
3c03d0dfe8bf39412040dcd1b9ab981619fbea44efa90e798d5013bd8c85466c

SHA512
6cdb1d70af7aca962b5ec8aca39cdf6871799ae910a87a322035bbecb96fd40d4f9bc048dce66a67c2d9f421d5701b71d8d26794a3becc4d1f5ce822793fe6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe

Filesize
377KB

MD5
219130e23740cd06f700d41038a4e5bc

SHA1
56cc94b05e159c29af3f813ccab341c5ada92025

SHA256
3c03d0dfe8bf39412040dcd1b9ab981619fbea44efa90e798d5013bd8c85466c

SHA512
6cdb1d70af7aca962b5ec8aca39cdf6871799ae910a87a322035bbecb96fd40d4f9bc048dce66a67c2d9f421d5701b71d8d26794a3becc4d1f5ce822793fe6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe

Filesize
459KB

MD5
7604c1b252a38889029516d097a3558e

SHA1
e23816ef46c1a810da1b4d5308045fb6f1cf1864

SHA256
ac69d94511787aa70528eaabc3da809319b00d390de6e8b271856efd41186883

SHA512
af09a51fd55f0092f081318e19b9dded38396e71f8587fe90213f600a890a98ba9e91cff5c5716f772b1c2f8cf5195a4d4c4a7d8a4a112b65493f381e875914a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe

Filesize
459KB

MD5
7604c1b252a38889029516d097a3558e

SHA1
e23816ef46c1a810da1b4d5308045fb6f1cf1864

SHA256
ac69d94511787aa70528eaabc3da809319b00d390de6e8b271856efd41186883

SHA512
af09a51fd55f0092f081318e19b9dded38396e71f8587fe90213f600a890a98ba9e91cff5c5716f772b1c2f8cf5195a4d4c4a7d8a4a112b65493f381e875914a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe

Filesize
459KB

MD5
7604c1b252a38889029516d097a3558e

SHA1
e23816ef46c1a810da1b4d5308045fb6f1cf1864

SHA256
ac69d94511787aa70528eaabc3da809319b00d390de6e8b271856efd41186883

SHA512
af09a51fd55f0092f081318e19b9dded38396e71f8587fe90213f600a890a98ba9e91cff5c5716f772b1c2f8cf5195a4d4c4a7d8a4a112b65493f381e875914a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za048162.exe

Filesize
775KB

MD5
050417dff37ad5156628e745f55f07e9

SHA1
4c5897eb43371f80733289775ead2d404dc662f5

SHA256
f33b7ca9d8b8c679b9a29ed1622197eaf60eadff81230ddf2c9a9b1d4c3961b3

SHA512
2d815de6b5d9fe5d5899a466c9559d039857e51b641e12e3ef131b33d1f5dfc62cc9d32c5e2befc08b026fc894872ce59fad487ce02e529e75b6e5ba040718d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\za048162.exe

Filesize
775KB

MD5
050417dff37ad5156628e745f55f07e9

SHA1
4c5897eb43371f80733289775ead2d404dc662f5

SHA256
f33b7ca9d8b8c679b9a29ed1622197eaf60eadff81230ddf2c9a9b1d4c3961b3

SHA512
2d815de6b5d9fe5d5899a466c9559d039857e51b641e12e3ef131b33d1f5dfc62cc9d32c5e2befc08b026fc894872ce59fad487ce02e529e75b6e5ba040718d1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za146841.exe

Filesize
593KB

MD5
393c8f32f5fecd54ee382d5aa7aedfe3

SHA1
785c06a93f694495c033c10e712747c2908d77d9

SHA256
70215f7718c4d93090574d81ec231159e0a8cb20734a8b9fb2ca5abac73aeacc

SHA512
9e52ad9d9663bbf09292b916310cffbe6f565a655b766e214e3d68f80b1e9d1086c35ef9347a88a9c5ae923c34c9e9c94f9896bc563461b43c8212660655333b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\za146841.exe

Filesize
593KB

MD5
393c8f32f5fecd54ee382d5aa7aedfe3

SHA1
785c06a93f694495c033c10e712747c2908d77d9

SHA256
70215f7718c4d93090574d81ec231159e0a8cb20734a8b9fb2ca5abac73aeacc

SHA512
9e52ad9d9663bbf09292b916310cffbe6f565a655b766e214e3d68f80b1e9d1086c35ef9347a88a9c5ae923c34c9e9c94f9896bc563461b43c8212660655333b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe

Filesize
377KB

MD5
219130e23740cd06f700d41038a4e5bc

SHA1
56cc94b05e159c29af3f813ccab341c5ada92025

SHA256
3c03d0dfe8bf39412040dcd1b9ab981619fbea44efa90e798d5013bd8c85466c

SHA512
6cdb1d70af7aca962b5ec8aca39cdf6871799ae910a87a322035bbecb96fd40d4f9bc048dce66a67c2d9f421d5701b71d8d26794a3becc4d1f5ce822793fe6b9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe

Filesize
377KB

MD5
219130e23740cd06f700d41038a4e5bc

SHA1
56cc94b05e159c29af3f813ccab341c5ada92025

SHA256
3c03d0dfe8bf39412040dcd1b9ab981619fbea44efa90e798d5013bd8c85466c

SHA512
6cdb1d70af7aca962b5ec8aca39cdf6871799ae910a87a322035bbecb96fd40d4f9bc048dce66a67c2d9f421d5701b71d8d26794a3becc4d1f5ce822793fe6b9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\17865617.exe

Filesize
377KB

MD5
219130e23740cd06f700d41038a4e5bc

SHA1
56cc94b05e159c29af3f813ccab341c5ada92025

SHA256
3c03d0dfe8bf39412040dcd1b9ab981619fbea44efa90e798d5013bd8c85466c

SHA512
6cdb1d70af7aca962b5ec8aca39cdf6871799ae910a87a322035bbecb96fd40d4f9bc048dce66a67c2d9f421d5701b71d8d26794a3becc4d1f5ce822793fe6b9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe

Filesize
459KB

MD5
7604c1b252a38889029516d097a3558e

SHA1
e23816ef46c1a810da1b4d5308045fb6f1cf1864

SHA256
ac69d94511787aa70528eaabc3da809319b00d390de6e8b271856efd41186883

SHA512
af09a51fd55f0092f081318e19b9dded38396e71f8587fe90213f600a890a98ba9e91cff5c5716f772b1c2f8cf5195a4d4c4a7d8a4a112b65493f381e875914a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe

Filesize
459KB

MD5
7604c1b252a38889029516d097a3558e

SHA1
e23816ef46c1a810da1b4d5308045fb6f1cf1864

SHA256
ac69d94511787aa70528eaabc3da809319b00d390de6e8b271856efd41186883

SHA512
af09a51fd55f0092f081318e19b9dded38396e71f8587fe90213f600a890a98ba9e91cff5c5716f772b1c2f8cf5195a4d4c4a7d8a4a112b65493f381e875914a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\w76uo60.exe

Filesize
459KB

MD5
7604c1b252a38889029516d097a3558e

SHA1
e23816ef46c1a810da1b4d5308045fb6f1cf1864

SHA256
ac69d94511787aa70528eaabc3da809319b00d390de6e8b271856efd41186883

SHA512
af09a51fd55f0092f081318e19b9dded38396e71f8587fe90213f600a890a98ba9e91cff5c5716f772b1c2f8cf5195a4d4c4a7d8a4a112b65493f381e875914a

Download Submit
memory/1152-119-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1152-88-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

Filesize
104KB

Download
memory/1152-101-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-103-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-105-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-107-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-109-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-111-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-113-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-115-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-117-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-118-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/1152-97-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-121-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1152-120-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1152-122-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1152-123-0x0000000004EC0000-0x0000000004F00000-memory.dmp

Filesize
256KB

Download
memory/1152-126-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1152-95-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-93-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-91-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-90-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1152-89-0x00000000022F0000-0x0000000002308000-memory.dmp

Filesize
96KB

Download
memory/1152-99-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/1248-154-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-156-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-140-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-142-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-139-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-146-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-144-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-148-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-150-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-158-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-138-0x0000000002310000-0x000000000234A000-memory.dmp

Filesize
232KB

Download
memory/1248-137-0x00000000008C0000-0x00000000008FC000-memory.dmp

Filesize
240KB

Download
memory/1248-152-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-162-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-160-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-166-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-164-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-170-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-168-0x0000000002310000-0x0000000002345000-memory.dmp

Filesize
212KB

Download
memory/1248-773-0x0000000000240000-0x0000000000286000-memory.dmp

Filesize
280KB

Download
memory/1248-775-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/1248-933-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download