f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
05-05-2023 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe
Size

1.0MB
MD5

1c12b6c7ac3b982ae0df387eabf4deee
SHA1

42f8817ba5eeaa65fbf83b9a1e95e5ee525fb86f
SHA256

f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6
SHA512

de4307288bcbcbbe44ea8b3da8267066c3c1afc48b8c5e6a8f106328bec735d310d260c1f5e874e51821738fb64dfb303d34b0cdad3adf00e46f9ba86eb23522
SSDEEP

24576:6yqAJpdwvaXYBODlGQGEEndcKMb2nMCSpPrUDS3X32wCRI:BqAJTYQDlGKVCt23uR

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	132025557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	132025557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	132025557.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	132025557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	132025557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	132025557.exe

Executes dropped EXE 4 IoCs

pid	Process
1364	ov685632.exe
1632	Ey927901.exe
844	132025557.exe
1908	209630944.exe

Loads dropped DLL 10 IoCs

pid	Process
1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe
1364	ov685632.exe
1364	ov685632.exe
1632	Ey927901.exe
1632	Ey927901.exe
1632	Ey927901.exe
844	132025557.exe
1632	Ey927901.exe
1632	Ey927901.exe
1908	209630944.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	132025557.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	132025557.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ov685632.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ov685632.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Ey927901.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Ey927901.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
844	132025557.exe
844	132025557.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	132025557.exe
Token: SeDebugPrivilege	1908	209630944.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1364	1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe	27
PID 1496 wrote to memory of 1364	1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe	27
PID 1496 wrote to memory of 1364	1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe	27
PID 1496 wrote to memory of 1364	1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe	27
PID 1496 wrote to memory of 1364	1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe	27
PID 1496 wrote to memory of 1364	1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe	27
PID 1496 wrote to memory of 1364	1496	f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe	27
PID 1364 wrote to memory of 1632	1364	ov685632.exe	28
PID 1364 wrote to memory of 1632	1364	ov685632.exe	28
PID 1364 wrote to memory of 1632	1364	ov685632.exe	28
PID 1364 wrote to memory of 1632	1364	ov685632.exe	28
PID 1364 wrote to memory of 1632	1364	ov685632.exe	28
PID 1364 wrote to memory of 1632	1364	ov685632.exe	28
PID 1364 wrote to memory of 1632	1364	ov685632.exe	28
PID 1632 wrote to memory of 844	1632	Ey927901.exe	29
PID 1632 wrote to memory of 844	1632	Ey927901.exe	29
PID 1632 wrote to memory of 844	1632	Ey927901.exe	29
PID 1632 wrote to memory of 844	1632	Ey927901.exe	29
PID 1632 wrote to memory of 844	1632	Ey927901.exe	29
PID 1632 wrote to memory of 844	1632	Ey927901.exe	29
PID 1632 wrote to memory of 844	1632	Ey927901.exe	29
PID 1632 wrote to memory of 1908	1632	Ey927901.exe	30
PID 1632 wrote to memory of 1908	1632	Ey927901.exe	30
PID 1632 wrote to memory of 1908	1632	Ey927901.exe	30
PID 1632 wrote to memory of 1908	1632	Ey927901.exe	30
PID 1632 wrote to memory of 1908	1632	Ey927901.exe	30
PID 1632 wrote to memory of 1908	1632	Ey927901.exe	30
PID 1632 wrote to memory of 1908	1632	Ey927901.exe	30

C:\Users\Admin\AppData\Local\Temp\f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe
"C:\Users\Admin\AppData\Local\Temp\f66e1d77a7f6e425c08a1a397fde16fde43c74fa4aac9fb54abb39bbaa8f6de6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ov685632.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ov685632.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ey927901.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ey927901.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ov685632.exe

Filesize
769KB

MD5
9a27443925ffcf405da1f12ad843c247

SHA1
3ab1486d429156303924e44040bfb4e2aadc7226

SHA256
fcaacd8789e8883bd8d144a49f6e83ffadde80925d80f5a34d8f4c813672bce7

SHA512
896f8abb43e4860b757bedb3aaf4f14a3414de6098d3f0609c8399e005eb9b06fc41be3a716d8b649381a5e1a80cd9b521ace9d7f9ba346bbd4fd4f526e59ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ov685632.exe

Filesize
769KB

MD5
9a27443925ffcf405da1f12ad843c247

SHA1
3ab1486d429156303924e44040bfb4e2aadc7226

SHA256
fcaacd8789e8883bd8d144a49f6e83ffadde80925d80f5a34d8f4c813672bce7

SHA512
896f8abb43e4860b757bedb3aaf4f14a3414de6098d3f0609c8399e005eb9b06fc41be3a716d8b649381a5e1a80cd9b521ace9d7f9ba346bbd4fd4f526e59ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ey927901.exe

Filesize
598KB

MD5
e2c26f4d8a35b439723f424123a6b3ad

SHA1
a14afbc42b7e8d1f119a7558cad045dfe704cd65

SHA256
fe8180d8ec5b5b2186a8eec102782957df7a3dcf27edc048e6a1027253c0b11a

SHA512
8e11770ec9f9f77fe2aa0a051cd21621d581b844a92ae374f2217f14d5dbbc5927bff2e122f9bd21cce6b91835478aa2c6d7788138e3a8e112b9500313e21ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ey927901.exe

Filesize
598KB

MD5
e2c26f4d8a35b439723f424123a6b3ad

SHA1
a14afbc42b7e8d1f119a7558cad045dfe704cd65

SHA256
fe8180d8ec5b5b2186a8eec102782957df7a3dcf27edc048e6a1027253c0b11a

SHA512
8e11770ec9f9f77fe2aa0a051cd21621d581b844a92ae374f2217f14d5dbbc5927bff2e122f9bd21cce6b91835478aa2c6d7788138e3a8e112b9500313e21ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe

Filesize
390KB

MD5
4f3073a170dc4f366153bc2b75b0403e

SHA1
b6fdd0a34029e9eaa7e924d81c3f161817592312

SHA256
34d73719b718a2127de6cd3244efa9211292f395a8efb694e547f08413efb977

SHA512
9a00623fd03b4f3c5af65d2474946e62e276f27f8ce3d059c7007cea1fc70872982088efa85b52cd5244b70bc1a8513da64cda860f38536ed35d11027dae29fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe

Filesize
390KB

MD5
4f3073a170dc4f366153bc2b75b0403e

SHA1
b6fdd0a34029e9eaa7e924d81c3f161817592312

SHA256
34d73719b718a2127de6cd3244efa9211292f395a8efb694e547f08413efb977

SHA512
9a00623fd03b4f3c5af65d2474946e62e276f27f8ce3d059c7007cea1fc70872982088efa85b52cd5244b70bc1a8513da64cda860f38536ed35d11027dae29fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe

Filesize
390KB

MD5
4f3073a170dc4f366153bc2b75b0403e

SHA1
b6fdd0a34029e9eaa7e924d81c3f161817592312

SHA256
34d73719b718a2127de6cd3244efa9211292f395a8efb694e547f08413efb977

SHA512
9a00623fd03b4f3c5af65d2474946e62e276f27f8ce3d059c7007cea1fc70872982088efa85b52cd5244b70bc1a8513da64cda860f38536ed35d11027dae29fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe

Filesize
473KB

MD5
a5133136aa9ca4c3b6943a76ae0f987a

SHA1
2fe2fe3d402c56fc42ddc03b3d0234a4733a070b

SHA256
5665019ce51ab1ba668188bbb647fdc9dcdab5281bd3364e6321901bd6cc284a

SHA512
ebdc9ce9c8cbae2d8f45130b6cd82a0e397f8797887c4c42e61624998547d42cec90ddf1c058f884034852a7444ef83a30cc3dde90a839c4c817d0c43daaf795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe

Filesize
473KB

MD5
a5133136aa9ca4c3b6943a76ae0f987a

SHA1
2fe2fe3d402c56fc42ddc03b3d0234a4733a070b

SHA256
5665019ce51ab1ba668188bbb647fdc9dcdab5281bd3364e6321901bd6cc284a

SHA512
ebdc9ce9c8cbae2d8f45130b6cd82a0e397f8797887c4c42e61624998547d42cec90ddf1c058f884034852a7444ef83a30cc3dde90a839c4c817d0c43daaf795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe

Filesize
473KB

MD5
a5133136aa9ca4c3b6943a76ae0f987a

SHA1
2fe2fe3d402c56fc42ddc03b3d0234a4733a070b

SHA256
5665019ce51ab1ba668188bbb647fdc9dcdab5281bd3364e6321901bd6cc284a

SHA512
ebdc9ce9c8cbae2d8f45130b6cd82a0e397f8797887c4c42e61624998547d42cec90ddf1c058f884034852a7444ef83a30cc3dde90a839c4c817d0c43daaf795

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ov685632.exe

Filesize
769KB

MD5
9a27443925ffcf405da1f12ad843c247

SHA1
3ab1486d429156303924e44040bfb4e2aadc7226

SHA256
fcaacd8789e8883bd8d144a49f6e83ffadde80925d80f5a34d8f4c813672bce7

SHA512
896f8abb43e4860b757bedb3aaf4f14a3414de6098d3f0609c8399e005eb9b06fc41be3a716d8b649381a5e1a80cd9b521ace9d7f9ba346bbd4fd4f526e59ba9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ov685632.exe

Filesize
769KB

MD5
9a27443925ffcf405da1f12ad843c247

SHA1
3ab1486d429156303924e44040bfb4e2aadc7226

SHA256
fcaacd8789e8883bd8d144a49f6e83ffadde80925d80f5a34d8f4c813672bce7

SHA512
896f8abb43e4860b757bedb3aaf4f14a3414de6098d3f0609c8399e005eb9b06fc41be3a716d8b649381a5e1a80cd9b521ace9d7f9ba346bbd4fd4f526e59ba9

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ey927901.exe

Filesize
598KB

MD5
e2c26f4d8a35b439723f424123a6b3ad

SHA1
a14afbc42b7e8d1f119a7558cad045dfe704cd65

SHA256
fe8180d8ec5b5b2186a8eec102782957df7a3dcf27edc048e6a1027253c0b11a

SHA512
8e11770ec9f9f77fe2aa0a051cd21621d581b844a92ae374f2217f14d5dbbc5927bff2e122f9bd21cce6b91835478aa2c6d7788138e3a8e112b9500313e21ad7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Ey927901.exe

Filesize
598KB

MD5
e2c26f4d8a35b439723f424123a6b3ad

SHA1
a14afbc42b7e8d1f119a7558cad045dfe704cd65

SHA256
fe8180d8ec5b5b2186a8eec102782957df7a3dcf27edc048e6a1027253c0b11a

SHA512
8e11770ec9f9f77fe2aa0a051cd21621d581b844a92ae374f2217f14d5dbbc5927bff2e122f9bd21cce6b91835478aa2c6d7788138e3a8e112b9500313e21ad7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe

Filesize
390KB

MD5
4f3073a170dc4f366153bc2b75b0403e

SHA1
b6fdd0a34029e9eaa7e924d81c3f161817592312

SHA256
34d73719b718a2127de6cd3244efa9211292f395a8efb694e547f08413efb977

SHA512
9a00623fd03b4f3c5af65d2474946e62e276f27f8ce3d059c7007cea1fc70872982088efa85b52cd5244b70bc1a8513da64cda860f38536ed35d11027dae29fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe

Filesize
390KB

MD5
4f3073a170dc4f366153bc2b75b0403e

SHA1
b6fdd0a34029e9eaa7e924d81c3f161817592312

SHA256
34d73719b718a2127de6cd3244efa9211292f395a8efb694e547f08413efb977

SHA512
9a00623fd03b4f3c5af65d2474946e62e276f27f8ce3d059c7007cea1fc70872982088efa85b52cd5244b70bc1a8513da64cda860f38536ed35d11027dae29fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\132025557.exe

Filesize
390KB

MD5
4f3073a170dc4f366153bc2b75b0403e

SHA1
b6fdd0a34029e9eaa7e924d81c3f161817592312

SHA256
34d73719b718a2127de6cd3244efa9211292f395a8efb694e547f08413efb977

SHA512
9a00623fd03b4f3c5af65d2474946e62e276f27f8ce3d059c7007cea1fc70872982088efa85b52cd5244b70bc1a8513da64cda860f38536ed35d11027dae29fa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe

Filesize
473KB

MD5
a5133136aa9ca4c3b6943a76ae0f987a

SHA1
2fe2fe3d402c56fc42ddc03b3d0234a4733a070b

SHA256
5665019ce51ab1ba668188bbb647fdc9dcdab5281bd3364e6321901bd6cc284a

SHA512
ebdc9ce9c8cbae2d8f45130b6cd82a0e397f8797887c4c42e61624998547d42cec90ddf1c058f884034852a7444ef83a30cc3dde90a839c4c817d0c43daaf795

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe

Filesize
473KB

MD5
a5133136aa9ca4c3b6943a76ae0f987a

SHA1
2fe2fe3d402c56fc42ddc03b3d0234a4733a070b

SHA256
5665019ce51ab1ba668188bbb647fdc9dcdab5281bd3364e6321901bd6cc284a

SHA512
ebdc9ce9c8cbae2d8f45130b6cd82a0e397f8797887c4c42e61624998547d42cec90ddf1c058f884034852a7444ef83a30cc3dde90a839c4c817d0c43daaf795

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\209630944.exe

Filesize
473KB

MD5
a5133136aa9ca4c3b6943a76ae0f987a

SHA1
2fe2fe3d402c56fc42ddc03b3d0234a4733a070b

SHA256
5665019ce51ab1ba668188bbb647fdc9dcdab5281bd3364e6321901bd6cc284a

SHA512
ebdc9ce9c8cbae2d8f45130b6cd82a0e397f8797887c4c42e61624998547d42cec90ddf1c058f884034852a7444ef83a30cc3dde90a839c4c817d0c43daaf795

Download Submit
memory/844-119-0x00000000051D0000-0x0000000005210000-memory.dmp

Filesize
256KB

Download
memory/844-98-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-100-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-102-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-104-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-106-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-108-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-110-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-112-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-114-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-116-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-118-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-96-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-120-0x00000000051D0000-0x0000000005210000-memory.dmp

Filesize
256KB

Download
memory/844-121-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/844-122-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/844-94-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-92-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-91-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/844-90-0x0000000000B80000-0x0000000000B98000-memory.dmp

Filesize
96KB

Download
memory/844-89-0x0000000000390000-0x00000000003AA000-memory.dmp

Filesize
104KB

Download
memory/844-88-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1908-134-0x0000000002530000-0x000000000256A000-memory.dmp

Filesize
232KB

Download
memory/1908-150-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-136-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/1908-135-0x0000000000370000-0x00000000003B6000-memory.dmp

Filesize
280KB

Download
memory/1908-137-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-138-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-140-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-142-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-144-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-146-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-148-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-133-0x00000000024F0000-0x000000000252C000-memory.dmp

Filesize
240KB

Download
memory/1908-152-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-154-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-156-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-158-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-160-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-162-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-164-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-166-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-168-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-170-0x0000000002530000-0x0000000002565000-memory.dmp

Filesize
212KB

Download
memory/1908-929-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download
memory/1908-932-0x00000000020F0000-0x0000000002130000-memory.dmp

Filesize
256KB

Download