3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482

Analysis

max time kernel
248s
max time network
331s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2023 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe
Size

1.5MB
MD5

03a823d543a273c57b4056e8b26993c7
SHA1

99524482a8eaec519f61652fc0cd52fdf2a8dd59
SHA256

3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482
SHA512

3caf9f399a50ab96abcbc6cd66416619922761d4b385e0fc1a2466162603e9b1c693ace7c3b2c807dc2f3cea8f3eaca03fd8988fdbb0d1797058f368314eb602
SSDEEP

24576:myyOffDEC4u5WqtGtqAO4etgiioNEOI5G+DNVhzIm8tcTTfiM6D8HxGxOY:1dEe55tUqANeWiBQpNIl6qM7C

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

1.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

55171108.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	55171108.exe

Executes dropped EXE 6 IoCs

Processes:

za347143.exeza903159.exeza546593.exe55171108.exe1.exeu50982866.exe

pid process

1832 za347143.exe
2892 za903159.exe
1276 za546593.exe
4584 55171108.exe
4076 1.exe
2764 u50982866.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

1.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" 1.exe

pid	process
1832	za347143.exe
2892	za903159.exe
1276	za546593.exe
4584	55171108.exe
4076	1.exe
2764	u50982866.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

za546593.exe3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exeza347143.exeza903159.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	za546593.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za347143.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	za347143.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za903159.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	za903159.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	za546593.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1.exe

pid process

4076 1.exe
4076 1.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

55171108.exeu50982866.exe1.exe

description pid process

Token: SeDebugPrivilege 4584 55171108.exe
Token: SeDebugPrivilege 2764 u50982866.exe
Token: SeDebugPrivilege 4076 1.exe

pid	process
4076	1.exe
4076	1.exe

description	pid	process
Token: SeDebugPrivilege	4584	55171108.exe
Token: SeDebugPrivilege	2764	u50982866.exe
Token: SeDebugPrivilege	4076	1.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exeza347143.exeza903159.exeza546593.exe55171108.exe

description	pid	process	target process
PID 1404 wrote to memory of 1832	1404	3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe	za347143.exe
PID 1404 wrote to memory of 1832	1404	3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe	za347143.exe
PID 1404 wrote to memory of 1832	1404	3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe	za347143.exe
PID 1832 wrote to memory of 2892	1832	za347143.exe	za903159.exe
PID 1832 wrote to memory of 2892	1832	za347143.exe	za903159.exe
PID 1832 wrote to memory of 2892	1832	za347143.exe	za903159.exe
PID 2892 wrote to memory of 1276	2892	za903159.exe	za546593.exe
PID 2892 wrote to memory of 1276	2892	za903159.exe	za546593.exe
PID 2892 wrote to memory of 1276	2892	za903159.exe	za546593.exe
PID 1276 wrote to memory of 4584	1276	za546593.exe	55171108.exe
PID 1276 wrote to memory of 4584	1276	za546593.exe	55171108.exe
PID 1276 wrote to memory of 4584	1276	za546593.exe	55171108.exe
PID 4584 wrote to memory of 4076	4584	55171108.exe	1.exe
PID 4584 wrote to memory of 4076	4584	55171108.exe	1.exe
PID 1276 wrote to memory of 2764	1276	za546593.exe	u50982866.exe
PID 1276 wrote to memory of 2764	1276	za546593.exe	u50982866.exe
PID 1276 wrote to memory of 2764	1276	za546593.exe	u50982866.exe

C:\Users\Admin\AppData\Local\Temp\3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe
"C:\Users\Admin\AppData\Local\Temp\3d90cae0a0cd20c3e25d043063a73fd733024a67f893ab64f2b442146b28e482.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za347143.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za347143.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za903159.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za903159.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za546593.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za546593.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\55171108.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\55171108.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u50982866.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u50982866.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2764 -ip 2764
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za347143.exe

Filesize
1.3MB

MD5
6b6e84e7fd6e8f6ec9d6686e6ecaa0c1

SHA1
9dc66674ebcb5e061beb596976fa1566dfd786a5

SHA256
d23d4dd85d8c53fd407614c843c39faaa3cae5c12e780d97596d48f5559c6f60

SHA512
fbe98d9c3c6b53cb97457ccf9219f0afa5bb94ad827e5d6240525f78f594f043d9db45311bd0944887ace6a2064c38f57e75b68e5260fb20782ee25d6cb2a434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\za347143.exe

Filesize
1.3MB

MD5
6b6e84e7fd6e8f6ec9d6686e6ecaa0c1

SHA1
9dc66674ebcb5e061beb596976fa1566dfd786a5

SHA256
d23d4dd85d8c53fd407614c843c39faaa3cae5c12e780d97596d48f5559c6f60

SHA512
fbe98d9c3c6b53cb97457ccf9219f0afa5bb94ad827e5d6240525f78f594f043d9db45311bd0944887ace6a2064c38f57e75b68e5260fb20782ee25d6cb2a434

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za903159.exe

Filesize
862KB

MD5
9b28e8f7ba36e36cb7e77ebef19bd22c

SHA1
49fbb2e80ad66be610a90088c4b1e85d49affa84

SHA256
506838d954060070d700945c0070dbb953b54a5415e1d6599fe7cec50a83b61c

SHA512
21f04c8b8410f2ab336620957f1b5216f6329cfa171d48efc8b6c10e955d29843183317bbf8c9d21a1431d12418aac820d4a787ecfda3b41146da23ab13635db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\za903159.exe

Filesize
862KB

MD5
9b28e8f7ba36e36cb7e77ebef19bd22c

SHA1
49fbb2e80ad66be610a90088c4b1e85d49affa84

SHA256
506838d954060070d700945c0070dbb953b54a5415e1d6599fe7cec50a83b61c

SHA512
21f04c8b8410f2ab336620957f1b5216f6329cfa171d48efc8b6c10e955d29843183317bbf8c9d21a1431d12418aac820d4a787ecfda3b41146da23ab13635db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za546593.exe

Filesize
679KB

MD5
a896971c4d99f0962e5aed9b56f0d19f

SHA1
83669a21da11b3fb3cc85b01de465e7fd8d0908c

SHA256
281b39b01d0291404656d3217a56dd9eec0312fe2e6ff28dc8994b1a0b0543e7

SHA512
b767ab892eb0e0f4e60ad242a59eea335668451e6c041e94e23e760a8a2658f2bb5a96f24ca6b04726137f2ea3a5ea1c265861fb9e0cfdc9839a134f486e0675

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\za546593.exe

Filesize
679KB

MD5
a896971c4d99f0962e5aed9b56f0d19f

SHA1
83669a21da11b3fb3cc85b01de465e7fd8d0908c

SHA256
281b39b01d0291404656d3217a56dd9eec0312fe2e6ff28dc8994b1a0b0543e7

SHA512
b767ab892eb0e0f4e60ad242a59eea335668451e6c041e94e23e760a8a2658f2bb5a96f24ca6b04726137f2ea3a5ea1c265861fb9e0cfdc9839a134f486e0675

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\55171108.exe

Filesize
301KB

MD5
19891987b815519a5a898c60e55921fc

SHA1
938adbb3c5bb6acbcf4af904cb46e658072718cc

SHA256
1e92c143feb7ccb4680de759ad49e184ecfc0f4dea71b30363caa810fe567af4

SHA512
04abf320bba0b1eb0ab628b6e4a36d87bb812b760c47bc75ce473124aa4a38f1524a6481f58a0b5098d421a7b379f492e4cfb5581a1390e33d6594f83eef8ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\55171108.exe

Filesize
301KB

MD5
19891987b815519a5a898c60e55921fc

SHA1
938adbb3c5bb6acbcf4af904cb46e658072718cc

SHA256
1e92c143feb7ccb4680de759ad49e184ecfc0f4dea71b30363caa810fe567af4

SHA512
04abf320bba0b1eb0ab628b6e4a36d87bb812b760c47bc75ce473124aa4a38f1524a6481f58a0b5098d421a7b379f492e4cfb5581a1390e33d6594f83eef8ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u50982866.exe

Filesize
522KB

MD5
0e58844f67d852d1799363d76d0d27bd

SHA1
8eaa3b351f88a23b664da04991e795c6505e3426

SHA256
f4d14dcbc21bbf8157f307715f5954df71d374494c0913d1107acbf68f8a88ff

SHA512
d336561d45c26ad62b6db56d056cad87131949f9cb9fab12379a2b74b4f048dbd48da91fa9086417130ca5f1f74a7510f3266c406c1fca862b5a551ae2c5fc91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\u50982866.exe

Filesize
522KB

MD5
0e58844f67d852d1799363d76d0d27bd

SHA1
8eaa3b351f88a23b664da04991e795c6505e3426

SHA256
f4d14dcbc21bbf8157f307715f5954df71d374494c0913d1107acbf68f8a88ff

SHA512
d336561d45c26ad62b6db56d056cad87131949f9cb9fab12379a2b74b4f048dbd48da91fa9086417130ca5f1f74a7510f3266c406c1fca862b5a551ae2c5fc91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/2764-4449-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2764-2320-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2764-2316-0x0000000002200000-0x000000000224C000-memory.dmp

Filesize
304KB

Download
memory/2764-2318-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2764-4445-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2764-4447-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2764-4448-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2764-4450-0x0000000004F90000-0x0000000004FA0000-memory.dmp

Filesize
64KB

Download
memory/2764-4452-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/4076-2311-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/4584-205-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-2292-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4584-191-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-193-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-195-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-199-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-197-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-201-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-203-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-187-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-207-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-209-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-211-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-213-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-215-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-217-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-219-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-221-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-223-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-225-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-227-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-189-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-2294-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4584-2295-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4584-2296-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4584-2297-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4584-185-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-183-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-181-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-179-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-177-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-175-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-173-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-171-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-169-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-167-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-165-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-164-0x00000000050E0000-0x0000000005131000-memory.dmp

Filesize
324KB

Download
memory/4584-163-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4584-162-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/4584-161-0x0000000004B30000-0x00000000050D4000-memory.dmp

Filesize
5.6MB

Download