0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
04/05/2023, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe
Size

1.5MB
MD5

752b4e860e38c4e38c88eeefd767c3ce
SHA1

07bf9dc7fc9a9b104740f1298eb0f1652f5b6623
SHA256

0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c
SHA512

4243821d86e64f9f95f15de0db75cc587976c957be4c6bab221fa4dd09991e6a0b11697cef083845163115ffb974045fc2051a905fe68fef6cac66ebf4c0989b
SSDEEP

24576:PyttBhTxuASKjTjm/DB1MiiijlWqbUEOWIE6or2uyjUYTiYw7Lkr9eeArpdV:ajBeASKjnQ1PZFoEL6or21FiYw7+Uj

Score

10^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8239042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8239042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8239042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8239042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8239042.exe

Executes dropped EXE 7 IoCs

pid	Process
3652	v4550312.exe
4324	v1492307.exe
4392	v3397989.exe
4368	v8866569.exe
2096	a8239042.exe
4060	b7656692.exe
3768	c8120321.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8239042.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8239042.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1492307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3397989.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8866569.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8866569.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4550312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4550312.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1492307.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v3397989.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
3712	3768	WerFault.exe	73
2972	3768	WerFault.exe	73
4484	3768	WerFault.exe	73
4496	3768	WerFault.exe	73
4456	3768	WerFault.exe	73
4160	3768	WerFault.exe	73
3168	3768	WerFault.exe	73
4972	3768	WerFault.exe	73
5068	3768	WerFault.exe	73

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2096	a8239042.exe
2096	a8239042.exe
4060	b7656692.exe
4060	b7656692.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	a8239042.exe
Token: SeDebugPrivilege	4060	b7656692.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3768	c8120321.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 420 wrote to memory of 3652	420	0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe	66
PID 420 wrote to memory of 3652	420	0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe	66
PID 420 wrote to memory of 3652	420	0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe	66
PID 3652 wrote to memory of 4324	3652	v4550312.exe	67
PID 3652 wrote to memory of 4324	3652	v4550312.exe	67
PID 3652 wrote to memory of 4324	3652	v4550312.exe	67
PID 4324 wrote to memory of 4392	4324	v1492307.exe	68
PID 4324 wrote to memory of 4392	4324	v1492307.exe	68
PID 4324 wrote to memory of 4392	4324	v1492307.exe	68
PID 4392 wrote to memory of 4368	4392	v3397989.exe	69
PID 4392 wrote to memory of 4368	4392	v3397989.exe	69
PID 4392 wrote to memory of 4368	4392	v3397989.exe	69
PID 4368 wrote to memory of 2096	4368	v8866569.exe	70
PID 4368 wrote to memory of 2096	4368	v8866569.exe	70
PID 4368 wrote to memory of 2096	4368	v8866569.exe	70
PID 4368 wrote to memory of 4060	4368	v8866569.exe	71
PID 4368 wrote to memory of 4060	4368	v8866569.exe	71
PID 4368 wrote to memory of 4060	4368	v8866569.exe	71
PID 4392 wrote to memory of 3768	4392	v3397989.exe	73
PID 4392 wrote to memory of 3768	4392	v3397989.exe	73
PID 4392 wrote to memory of 3768	4392	v3397989.exe	73

C:\Users\Admin\AppData\Local\Temp\0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe
"C:\Users\Admin\AppData\Local\Temp\0fdbef1ed33366ead6025639345f04110a62d6cb38a15cbb52e1cefe377e881c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4550312.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4550312.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1492307.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1492307.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3397989.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3397989.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8866569.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8866569.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4368
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8239042.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8239042.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7656692.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7656692.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8120321.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8120321.exe
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3768
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 624
        6⤵
        Program crash
        
        PID:3712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 704
        6⤵
        Program crash
        
        PID:2972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 844
        6⤵
        Program crash
        
        PID:4484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 832
        6⤵
        Program crash
        
        PID:4496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 880
        6⤵
        Program crash
        
        PID:4456
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 936
        6⤵
        Program crash
        
        PID:4160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1132
        6⤵
        Program crash
        
        PID:3168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1156
        6⤵
        Program crash
        
        PID:4972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 1144
        6⤵
        Program crash
        
        PID:5068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4550312.exe

Filesize
1.4MB

MD5
2f72697f20e963c1839bae91e0480e12

SHA1
04f33586741d54b75d721f5efa629ea3885ef4ee

SHA256
062458b1d49e5f8f067250b1eb9a8f0915744a82d785d8e34b709ddbe881ac8f

SHA512
755758c8b671ce5a43c6fe75bf7353f5b6943ec657f1077ba03685be8c41c030f3dfae3626390879c83aa534341e6068b55e5363dc026c131a2837d324ef2b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4550312.exe

Filesize
1.4MB

MD5
2f72697f20e963c1839bae91e0480e12

SHA1
04f33586741d54b75d721f5efa629ea3885ef4ee

SHA256
062458b1d49e5f8f067250b1eb9a8f0915744a82d785d8e34b709ddbe881ac8f

SHA512
755758c8b671ce5a43c6fe75bf7353f5b6943ec657f1077ba03685be8c41c030f3dfae3626390879c83aa534341e6068b55e5363dc026c131a2837d324ef2b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1492307.exe

Filesize
912KB

MD5
8055ef76b1a760c50fe8dd0b64b1bf68

SHA1
b34c06f6cbc6a7e71272e062e32d5c184c5d8e48

SHA256
004069dc53542ea6dcf850628ee298d7b95851a70e570ca9253e07f0352f31b3

SHA512
1a7c242a7d3cd6d7c9c0149f69fabdb31fb8fb6ebd727db96fb81380b638ca6f1a23f814f8433b759716f90091432acc5d8293ef61a35e63d4f9e0c26d3c71f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1492307.exe

Filesize
912KB

MD5
8055ef76b1a760c50fe8dd0b64b1bf68

SHA1
b34c06f6cbc6a7e71272e062e32d5c184c5d8e48

SHA256
004069dc53542ea6dcf850628ee298d7b95851a70e570ca9253e07f0352f31b3

SHA512
1a7c242a7d3cd6d7c9c0149f69fabdb31fb8fb6ebd727db96fb81380b638ca6f1a23f814f8433b759716f90091432acc5d8293ef61a35e63d4f9e0c26d3c71f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3397989.exe

Filesize
707KB

MD5
3c0d308d1dbad5237987b537741a93b4

SHA1
5337cddfa54a8939200396dbf8fe02476d4fbde1

SHA256
e1eb8495d0e588a0eeb0240767c91c1dd24ec90d876181958993b9736965842c

SHA512
b8eb4c9c263a69857c7310a4d2a75aa92a3199c4da837d72ba28fef268e1e5cdd0247e8bacf86ede897cd022442e1ff9e471356e63540fab18064a1ae79d44a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3397989.exe

Filesize
707KB

MD5
3c0d308d1dbad5237987b537741a93b4

SHA1
5337cddfa54a8939200396dbf8fe02476d4fbde1

SHA256
e1eb8495d0e588a0eeb0240767c91c1dd24ec90d876181958993b9736965842c

SHA512
b8eb4c9c263a69857c7310a4d2a75aa92a3199c4da837d72ba28fef268e1e5cdd0247e8bacf86ede897cd022442e1ff9e471356e63540fab18064a1ae79d44a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8120321.exe

Filesize
339KB

MD5
3c35cbe02053107d55f0b888087ac3d5

SHA1
f4bcfb9c46b476099221cd2178d280b7756776f0

SHA256
7c4cf0bc0fdbb2ab6eb6e5d6f10a3e714261f668071452d06d18aaa05b66e7d5

SHA512
e1cb258a3058b85ddab2e86a9032bf4f7cdec5722bb6eb26ab085c255cdd2030f9a002418749eb1e048901a050e3bd395704bb5f4669f8632837a5d1546c8bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8120321.exe

Filesize
339KB

MD5
3c35cbe02053107d55f0b888087ac3d5

SHA1
f4bcfb9c46b476099221cd2178d280b7756776f0

SHA256
7c4cf0bc0fdbb2ab6eb6e5d6f10a3e714261f668071452d06d18aaa05b66e7d5

SHA512
e1cb258a3058b85ddab2e86a9032bf4f7cdec5722bb6eb26ab085c255cdd2030f9a002418749eb1e048901a050e3bd395704bb5f4669f8632837a5d1546c8bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8866569.exe

Filesize
416KB

MD5
7046e13104becb0b28912a78f6fdfc23

SHA1
5c50a61c6917ba0471ae4f49362198759d0b1e0d

SHA256
8b14a140ab92097fdf0c90b5176addfc8c996fb159a1fdf38932f740c0431a5b

SHA512
9d94c3f467242d4a86ad1c9dcbcba8f616ee8e2c7d25e89b20fa6622a6177262854d5dac097fa873371e55ef88ba4991d2fa06d8d0fe40181d88a2352c83f650

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8866569.exe

Filesize
416KB

MD5
7046e13104becb0b28912a78f6fdfc23

SHA1
5c50a61c6917ba0471ae4f49362198759d0b1e0d

SHA256
8b14a140ab92097fdf0c90b5176addfc8c996fb159a1fdf38932f740c0431a5b

SHA512
9d94c3f467242d4a86ad1c9dcbcba8f616ee8e2c7d25e89b20fa6622a6177262854d5dac097fa873371e55ef88ba4991d2fa06d8d0fe40181d88a2352c83f650

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8239042.exe

Filesize
360KB

MD5
8e7493809b43defe87c0e7bb5f4c2ec4

SHA1
33b43013f4b9cc933829c5e71846c828a33a9dc7

SHA256
121a33078b699a2142a3fa76ad986aa4b27415a63c6d2e86498e17264fc0ffcd

SHA512
a794da6ea7cb4033c982da19b94f7d7c48abc76df23e35c1bb71a82f533a58758c9a17de797a11c74e683b032e2735f447a3d9bc38f9b71b6c1cdaf65c732541

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8239042.exe

Filesize
360KB

MD5
8e7493809b43defe87c0e7bb5f4c2ec4

SHA1
33b43013f4b9cc933829c5e71846c828a33a9dc7

SHA256
121a33078b699a2142a3fa76ad986aa4b27415a63c6d2e86498e17264fc0ffcd

SHA512
a794da6ea7cb4033c982da19b94f7d7c48abc76df23e35c1bb71a82f533a58758c9a17de797a11c74e683b032e2735f447a3d9bc38f9b71b6c1cdaf65c732541

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7656692.exe

Filesize
136KB

MD5
08506fff67baca3871f497ca518b5638

SHA1
80c5936b81e68c9012ba35a72e4a7b0bd97d16a1

SHA256
4ec0b50d85beb65d1c02e2362bddd6387a1f7278659030525795ab6cd440eb39

SHA512
ea3fdf67834ab95c6986f2bdcd5f3238c278887c5566a79d03338ffdbaca9d1828a0ee908aa2b1ec831d79db400cfd4cac0fd5a06d8abe2e6b406ad3605c6876

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7656692.exe

Filesize
136KB

MD5
08506fff67baca3871f497ca518b5638

SHA1
80c5936b81e68c9012ba35a72e4a7b0bd97d16a1

SHA256
4ec0b50d85beb65d1c02e2362bddd6387a1f7278659030525795ab6cd440eb39

SHA512
ea3fdf67834ab95c6986f2bdcd5f3238c278887c5566a79d03338ffdbaca9d1828a0ee908aa2b1ec831d79db400cfd4cac0fd5a06d8abe2e6b406ad3605c6876

Download Submit
memory/2096-170-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-184-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-155-0x00000000027D0000-0x00000000027E8000-memory.dmp

Filesize
96KB

Download
memory/2096-156-0x0000000000700000-0x000000000072D000-memory.dmp

Filesize
180KB

Download
memory/2096-157-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2096-158-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2096-159-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-160-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-162-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-164-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-166-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-168-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-153-0x00000000022C0000-0x00000000022DA000-memory.dmp

Filesize
104KB

Download
memory/2096-172-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-176-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-174-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-178-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-180-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-186-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-154-0x0000000004D50000-0x000000000524E000-memory.dmp

Filesize
5.0MB

Download
memory/2096-182-0x00000000027D0000-0x00000000027E2000-memory.dmp

Filesize
72KB

Download
memory/2096-187-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2096-188-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2096-190-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/3768-213-0x00000000006F0000-0x0000000000725000-memory.dmp

Filesize
212KB

Download
memory/3768-214-0x0000000000400000-0x00000000006EF000-memory.dmp

Filesize
2.9MB

Download
memory/4060-197-0x0000000007790000-0x000000000789A000-memory.dmp

Filesize
1.0MB

Download
memory/4060-202-0x00000000084C0000-0x0000000008552000-memory.dmp

Filesize
584KB

Download
memory/4060-195-0x0000000007C10000-0x0000000008216000-memory.dmp

Filesize
6.0MB

Download
memory/4060-198-0x00000000076C0000-0x00000000076FE000-memory.dmp

Filesize
248KB

Download
memory/4060-199-0x0000000007700000-0x000000000774B000-memory.dmp

Filesize
300KB

Download
memory/4060-200-0x0000000007A10000-0x0000000007A20000-memory.dmp

Filesize
64KB

Download
memory/4060-201-0x0000000007A20000-0x0000000007A86000-memory.dmp

Filesize
408KB

Download
memory/4060-196-0x0000000007660000-0x0000000007672000-memory.dmp

Filesize
72KB

Download
memory/4060-203-0x0000000008660000-0x00000000086D6000-memory.dmp

Filesize
472KB

Download
memory/4060-204-0x0000000009060000-0x0000000009222000-memory.dmp

Filesize
1.8MB

Download
memory/4060-194-0x0000000000960000-0x0000000000988000-memory.dmp

Filesize
160KB

Download
memory/4060-205-0x0000000009760000-0x0000000009C8C000-memory.dmp

Filesize
5.2MB

Download
memory/4060-206-0x0000000008800000-0x000000000881E000-memory.dmp

Filesize
120KB

Download
memory/4060-207-0x0000000008840000-0x0000000008890000-memory.dmp

Filesize
320KB

Download