da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e

Analysis

max time kernel
141s
max time network
143s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
04/05/2023, 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe
Size

1.5MB
MD5

4848db22ad84b74302a30b580dc16f0a
SHA1

abe5a2f51af8c2f9851c14fbd84dd65a45911121
SHA256

da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e
SHA512

db36e9b1b569dbb8bcc1abfc11fcd03f8c66ed832b8060df37e8610298cca6286ca1980800d954ae12915a9eb7b743d813dc142be0756e0b19b75890a8b764ad
SSDEEP

24576:Py819EBWTPcgPDPBKWYOD24LVaXIAes+PMNxyxrQZ0p4:a8WuP5PDPBxbLmuM7ekZ0p

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7602052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7602052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7602052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7602052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7602052.exe

Executes dropped EXE 7 IoCs

pid	Process
4112	v2617617.exe
4484	v3802421.exe
4908	v9965567.exe
2124	v1062150.exe
1628	a7602052.exe
4632	b2974787.exe
4440	c6577705.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7602052.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7602052.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9965567.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1062150.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2617617.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3802421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3802421.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9965567.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1062150.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2617617.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1700	4440	WerFault.exe	73
3536	4440	WerFault.exe	73
2984	4440	WerFault.exe	73
3796	4440	WerFault.exe	73
4528	4440	WerFault.exe	73
3100	4440	WerFault.exe	73
5004	4440	WerFault.exe	73
4728	4440	WerFault.exe	73
3204	4440	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	a7602052.exe
1628	a7602052.exe
4632	b2974787.exe
4632	b2974787.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	a7602052.exe
Token: SeDebugPrivilege	4632	b2974787.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4112	3732	da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe	66
PID 3732 wrote to memory of 4112	3732	da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe	66
PID 3732 wrote to memory of 4112	3732	da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe	66
PID 4112 wrote to memory of 4484	4112	v2617617.exe	67
PID 4112 wrote to memory of 4484	4112	v2617617.exe	67
PID 4112 wrote to memory of 4484	4112	v2617617.exe	67
PID 4484 wrote to memory of 4908	4484	v3802421.exe	68
PID 4484 wrote to memory of 4908	4484	v3802421.exe	68
PID 4484 wrote to memory of 4908	4484	v3802421.exe	68
PID 4908 wrote to memory of 2124	4908	v9965567.exe	69
PID 4908 wrote to memory of 2124	4908	v9965567.exe	69
PID 4908 wrote to memory of 2124	4908	v9965567.exe	69
PID 2124 wrote to memory of 1628	2124	v1062150.exe	70
PID 2124 wrote to memory of 1628	2124	v1062150.exe	70
PID 2124 wrote to memory of 1628	2124	v1062150.exe	70
PID 2124 wrote to memory of 4632	2124	v1062150.exe	71
PID 2124 wrote to memory of 4632	2124	v1062150.exe	71
PID 2124 wrote to memory of 4632	2124	v1062150.exe	71
PID 4908 wrote to memory of 4440	4908	v9965567.exe	73
PID 4908 wrote to memory of 4440	4908	v9965567.exe	73
PID 4908 wrote to memory of 4440	4908	v9965567.exe	73

C:\Users\Admin\AppData\Local\Temp\da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe
"C:\Users\Admin\AppData\Local\Temp\da5c2ed6d146ae06a0405125bb3d461c85a5280b8ff2bd66495d8f3eb950a44e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2617617.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2617617.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3802421.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3802421.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9965567.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9965567.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1062150.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1062150.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7602052.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7602052.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2974787.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2974787.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6577705.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6577705.exe
        5⤵
        Executes dropped EXE
        
        PID:4440
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 620
        6⤵
        Program crash
        
        PID:1700
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 700
        6⤵
        Program crash
        
        PID:3536
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 840
        6⤵
        Program crash
        
        PID:2984
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 848
        6⤵
        Program crash
        
        PID:3796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 876
        6⤵
        Program crash
        
        PID:4528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 888
        6⤵
        Program crash
        
        PID:3100
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1120
        6⤵
        Program crash
        
        PID:5004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1152
        6⤵
        Program crash
        
        PID:4728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 1132
        6⤵
        Program crash
        
        PID:3204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2617617.exe

Filesize
1.4MB

MD5
a534594e53fdbd914ffdcb23def1f5b7

SHA1
584cace88ff95594b6d3cdeb1678d0f538a08ec4

SHA256
d773ce08dcbf90e30aecb3dbdf15947ccb0b579af5d91fe561b8e8730ad4afed

SHA512
bbcdbffc9021866332ddef5ad4e9cdf6b0bf4b55f2968638c108a4b457576635a9f333492597a72a39fe53ae0563dc4a2db2b70ad422caf4e57941a919592c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2617617.exe

Filesize
1.4MB

MD5
a534594e53fdbd914ffdcb23def1f5b7

SHA1
584cace88ff95594b6d3cdeb1678d0f538a08ec4

SHA256
d773ce08dcbf90e30aecb3dbdf15947ccb0b579af5d91fe561b8e8730ad4afed

SHA512
bbcdbffc9021866332ddef5ad4e9cdf6b0bf4b55f2968638c108a4b457576635a9f333492597a72a39fe53ae0563dc4a2db2b70ad422caf4e57941a919592c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3802421.exe

Filesize
913KB

MD5
bd5548c45c08d8d1322b80515c75dedd

SHA1
d4852e8f9ae2d320525feeec744d986499f1bbfb

SHA256
321a5dd32c16cd7b07b3040a801a23a8c2cd4d537435f890d0235c36555a1f34

SHA512
3f7d1a1c70e3baf732395b9b036680955e3a9ab1ade62274ff33471e4787d7a1cae01ee978baba019453323fc2f6d180017c72d91d2e50b9b246052d79f9dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3802421.exe

Filesize
913KB

MD5
bd5548c45c08d8d1322b80515c75dedd

SHA1
d4852e8f9ae2d320525feeec744d986499f1bbfb

SHA256
321a5dd32c16cd7b07b3040a801a23a8c2cd4d537435f890d0235c36555a1f34

SHA512
3f7d1a1c70e3baf732395b9b036680955e3a9ab1ade62274ff33471e4787d7a1cae01ee978baba019453323fc2f6d180017c72d91d2e50b9b246052d79f9dcc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9965567.exe

Filesize
708KB

MD5
9be8d3fb52a3489792be0634f4ab43fd

SHA1
2c99357e2e938a8316de693832305f12be61cba9

SHA256
bb32fe7e20db4a36d1a847410cc2cf688ca52f386be61f624b6ae792981b6e83

SHA512
06fccf45952fb7af8e77ce3ffe66828b7e6eda17ce6c2ce3566ca837dc1d4e41c3f0fec1e5171d1e67ee84991df51cb09074be9bb39f3d049a291fd019e53aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9965567.exe

Filesize
708KB

MD5
9be8d3fb52a3489792be0634f4ab43fd

SHA1
2c99357e2e938a8316de693832305f12be61cba9

SHA256
bb32fe7e20db4a36d1a847410cc2cf688ca52f386be61f624b6ae792981b6e83

SHA512
06fccf45952fb7af8e77ce3ffe66828b7e6eda17ce6c2ce3566ca837dc1d4e41c3f0fec1e5171d1e67ee84991df51cb09074be9bb39f3d049a291fd019e53aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6577705.exe

Filesize
340KB

MD5
d00d447234974ecdf521385f117f7b91

SHA1
3b589a338afa9d955dfae231a355bf90334d99c2

SHA256
03ea2ee0f3ac22687e535e5a8b3757847487f8af3102c737e8d97fa01b06f247

SHA512
1ce0020db42c12a4743c5512ce58cbdf5b5c1ba81798328b3c88f86f14b5e6dced92fd77c22b21afa70679aeffd310be2d1feb546dca93708c33594128d38869

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6577705.exe

Filesize
340KB

MD5
d00d447234974ecdf521385f117f7b91

SHA1
3b589a338afa9d955dfae231a355bf90334d99c2

SHA256
03ea2ee0f3ac22687e535e5a8b3757847487f8af3102c737e8d97fa01b06f247

SHA512
1ce0020db42c12a4743c5512ce58cbdf5b5c1ba81798328b3c88f86f14b5e6dced92fd77c22b21afa70679aeffd310be2d1feb546dca93708c33594128d38869

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1062150.exe

Filesize
417KB

MD5
040ab52c7bb80f335bd9567655361609

SHA1
60c2aa0005c46d5b2986ab3f4f013f97fb46b24e

SHA256
efc9e85484949e7963c39195a6fb984993f3bd4444a26c742413ca84e3eae7c4

SHA512
afc56cec2c0bb7cba2220b8a8305d56e69d2d674bd59cc4f7950f125523f183dd75c292345096c456f6ad210b540246d01e2ca352183eb57e68bbbc57c6f493d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1062150.exe

Filesize
417KB

MD5
040ab52c7bb80f335bd9567655361609

SHA1
60c2aa0005c46d5b2986ab3f4f013f97fb46b24e

SHA256
efc9e85484949e7963c39195a6fb984993f3bd4444a26c742413ca84e3eae7c4

SHA512
afc56cec2c0bb7cba2220b8a8305d56e69d2d674bd59cc4f7950f125523f183dd75c292345096c456f6ad210b540246d01e2ca352183eb57e68bbbc57c6f493d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7602052.exe

Filesize
360KB

MD5
c4fe2e625b6bfe283cfa482bcdb03e30

SHA1
07ec7bc45edc8465a61c4d11be13d3ef1eea306b

SHA256
8cc930dc5949f044fcc22f501ffc21a2436a4fe23c9b47ff50d3c3ec1d01b25b

SHA512
4fee9672599fd023b9812453135d193839143baf041d0322aef0222281f6d18f2d3f1cfde05d5f36f093f34395e2a1756dc38c2f8a172dc493fb971ca49f9cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7602052.exe

Filesize
360KB

MD5
c4fe2e625b6bfe283cfa482bcdb03e30

SHA1
07ec7bc45edc8465a61c4d11be13d3ef1eea306b

SHA256
8cc930dc5949f044fcc22f501ffc21a2436a4fe23c9b47ff50d3c3ec1d01b25b

SHA512
4fee9672599fd023b9812453135d193839143baf041d0322aef0222281f6d18f2d3f1cfde05d5f36f093f34395e2a1756dc38c2f8a172dc493fb971ca49f9cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2974787.exe

Filesize
136KB

MD5
646e73ec5c2400877f45fa3a600ea494

SHA1
d9325641ff8301c96037fc5c1c682df878576a56

SHA256
20c9e94b5bcaa7b080fd248d2533c5c57c39ca3cd051e72d33d5c6a2223be6c3

SHA512
6321ff037c37573eb4e709370a33f99b86d538d97cc32945610ebf1f0d1b44175bf3cf954f96b4074e17baf12c3deb27dc30d0e5df6ec70a9298a7592226471c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2974787.exe

Filesize
136KB

MD5
646e73ec5c2400877f45fa3a600ea494

SHA1
d9325641ff8301c96037fc5c1c682df878576a56

SHA256
20c9e94b5bcaa7b080fd248d2533c5c57c39ca3cd051e72d33d5c6a2223be6c3

SHA512
6321ff037c37573eb4e709370a33f99b86d538d97cc32945610ebf1f0d1b44175bf3cf954f96b4074e17baf12c3deb27dc30d0e5df6ec70a9298a7592226471c

Download Submit
memory/1628-168-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-186-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-154-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1628-155-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1628-156-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1628-157-0x0000000004F00000-0x00000000053FE000-memory.dmp

Filesize
5.0MB

Download
memory/1628-158-0x00000000025A0000-0x00000000025B8000-memory.dmp

Filesize
96KB

Download
memory/1628-159-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-160-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-162-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-164-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-166-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-152-0x0000000000A10000-0x0000000000A2A000-memory.dmp

Filesize
104KB

Download
memory/1628-170-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-172-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-174-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-176-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-178-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-180-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-182-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-184-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/1628-153-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/1628-187-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1628-188-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/1628-190-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4440-213-0x00000000007C0000-0x00000000007F5000-memory.dmp

Filesize
212KB

Download
memory/4440-214-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/4632-197-0x0000000007750000-0x000000000785A000-memory.dmp

Filesize
1.0MB

Download
memory/4632-202-0x0000000008580000-0x0000000008612000-memory.dmp

Filesize
584KB

Download
memory/4632-195-0x0000000007B90000-0x0000000008196000-memory.dmp

Filesize
6.0MB

Download
memory/4632-198-0x0000000007680000-0x00000000076BE000-memory.dmp

Filesize
248KB

Download
memory/4632-199-0x0000000007980000-0x0000000007990000-memory.dmp

Filesize
64KB

Download
memory/4632-200-0x00000000076C0000-0x000000000770B000-memory.dmp

Filesize
300KB

Download
memory/4632-201-0x0000000007A00000-0x0000000007A66000-memory.dmp

Filesize
408KB

Download
memory/4632-196-0x0000000007620000-0x0000000007632000-memory.dmp

Filesize
72KB

Download
memory/4632-203-0x0000000008810000-0x0000000008886000-memory.dmp

Filesize
472KB

Download
memory/4632-204-0x0000000008540000-0x000000000855E000-memory.dmp

Filesize
120KB

Download
memory/4632-194-0x0000000000940000-0x0000000000968000-memory.dmp

Filesize
160KB

Download
memory/4632-205-0x0000000009020000-0x00000000091E2000-memory.dmp

Filesize
1.8MB

Download
memory/4632-206-0x0000000009720000-0x0000000009C4C000-memory.dmp

Filesize
5.2MB

Download
memory/4632-207-0x0000000008940000-0x0000000008990000-memory.dmp

Filesize
320KB

Download