6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf

Analysis

max time kernel
200s
max time network
205s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06/05/2023, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe
Size

1.1MB
MD5

e8a86a61d31c80bea50b9c35a6e0d951
SHA1

8a088307c7e947a549196c9b534ececa02b71475
SHA256

6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf
SHA512

2bbecb1e66e251a8c275e0bf985f0dd0c76bb101fa5df14c43d47b8387b69c469b53bd0ed495d5a3aff3ff4450f16e5875b1251775826ca2da94d35cc042e50d
SSDEEP

24576:4y/wmT0mhiuY806jJPAp+CRgKVQV1489E9AJ9ymi://wGXhnYCJPwJgjM89E9AJ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	186071140.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	186071140.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	186071140.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	186071140.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	186071140.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	186071140.exe

Executes dropped EXE 4 IoCs

pid	Process
1636	jg534520.exe
516	NF964145.exe
976	186071140.exe
1596	212864947.exe

Loads dropped DLL 10 IoCs

pid	Process
1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe
1636	jg534520.exe
1636	jg534520.exe
516	NF964145.exe
516	NF964145.exe
516	NF964145.exe
976	186071140.exe
516	NF964145.exe
516	NF964145.exe
1596	212864947.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	186071140.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	186071140.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	jg534520.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	jg534520.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	NF964145.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	NF964145.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
976	186071140.exe
976	186071140.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	976	186071140.exe
Token: SeDebugPrivilege	1596	212864947.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1636	1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe	28
PID 1632 wrote to memory of 1636	1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe	28
PID 1632 wrote to memory of 1636	1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe	28
PID 1632 wrote to memory of 1636	1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe	28
PID 1632 wrote to memory of 1636	1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe	28
PID 1632 wrote to memory of 1636	1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe	28
PID 1632 wrote to memory of 1636	1632	6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe	28
PID 1636 wrote to memory of 516	1636	jg534520.exe	29
PID 1636 wrote to memory of 516	1636	jg534520.exe	29
PID 1636 wrote to memory of 516	1636	jg534520.exe	29
PID 1636 wrote to memory of 516	1636	jg534520.exe	29
PID 1636 wrote to memory of 516	1636	jg534520.exe	29
PID 1636 wrote to memory of 516	1636	jg534520.exe	29
PID 1636 wrote to memory of 516	1636	jg534520.exe	29
PID 516 wrote to memory of 976	516	NF964145.exe	30
PID 516 wrote to memory of 976	516	NF964145.exe	30
PID 516 wrote to memory of 976	516	NF964145.exe	30
PID 516 wrote to memory of 976	516	NF964145.exe	30
PID 516 wrote to memory of 976	516	NF964145.exe	30
PID 516 wrote to memory of 976	516	NF964145.exe	30
PID 516 wrote to memory of 976	516	NF964145.exe	30
PID 516 wrote to memory of 1596	516	NF964145.exe	31
PID 516 wrote to memory of 1596	516	NF964145.exe	31
PID 516 wrote to memory of 1596	516	NF964145.exe	31
PID 516 wrote to memory of 1596	516	NF964145.exe	31
PID 516 wrote to memory of 1596	516	NF964145.exe	31
PID 516 wrote to memory of 1596	516	NF964145.exe	31
PID 516 wrote to memory of 1596	516	NF964145.exe	31

C:\Users\Admin\AppData\Local\Temp\6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe
"C:\Users\Admin\AppData\Local\Temp\6afa50e4ba851f5fc380ff38f3bc40e0a1ffad4a9ef884b6e19eecb0b66911bf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg534520.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg534520.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NF964145.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NF964145.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg534520.exe

Filesize
764KB

MD5
ce1699ce802bc23b393c24e636a51762

SHA1
4307fb8994f1c9769146a134d215ec7954080ef3

SHA256
39ce43ee14751ef373bc888b8754db2aa49049dd6cb14548106570c351a2a050

SHA512
a5463f847b43e9c5e24a5d396655378d7c0ab214e6659f8bba54f693127426082c54eb810e0b75e0dcb152df09e36d690c7c519d19fd6cf5e689948eb0769a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg534520.exe

Filesize
764KB

MD5
ce1699ce802bc23b393c24e636a51762

SHA1
4307fb8994f1c9769146a134d215ec7954080ef3

SHA256
39ce43ee14751ef373bc888b8754db2aa49049dd6cb14548106570c351a2a050

SHA512
a5463f847b43e9c5e24a5d396655378d7c0ab214e6659f8bba54f693127426082c54eb810e0b75e0dcb152df09e36d690c7c519d19fd6cf5e689948eb0769a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NF964145.exe

Filesize
592KB

MD5
2d29f9d3224b387a1d5f5354ba161687

SHA1
31dc996ccf26661fc0db2b751a8beac368a4b98d

SHA256
b2dfdf6757a8314e140d0980a336c0ddf349a1b10e7c98e72b5a47b754705c7a

SHA512
be64999182ef53711e090e3f8f788ef2c0c27aa5b33c82c76b4a43840250d4ad0044b467f290c046d4bae70c727af4394bf75fa850d90977d08653ca0a010957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NF964145.exe

Filesize
592KB

MD5
2d29f9d3224b387a1d5f5354ba161687

SHA1
31dc996ccf26661fc0db2b751a8beac368a4b98d

SHA256
b2dfdf6757a8314e140d0980a336c0ddf349a1b10e7c98e72b5a47b754705c7a

SHA512
be64999182ef53711e090e3f8f788ef2c0c27aa5b33c82c76b4a43840250d4ad0044b467f290c046d4bae70c727af4394bf75fa850d90977d08653ca0a010957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe

Filesize
377KB

MD5
60431a01946a01c11b9a297eac8a75c2

SHA1
7c5862d45e94a37880a7aa483cdf660378cf4dd7

SHA256
6b937893ebc175451cf8ffd1e3fc966dccc592e5951df58c685973aa2c7ef647

SHA512
4f9d2a27204a3de6c07cee8ca38ede297a34c3c320b97cf477732bbbdb9ddca028be747e404b9e3d722278991a36ebc45bd7bd47e34719449d9cee3fb43790bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe

Filesize
377KB

MD5
60431a01946a01c11b9a297eac8a75c2

SHA1
7c5862d45e94a37880a7aa483cdf660378cf4dd7

SHA256
6b937893ebc175451cf8ffd1e3fc966dccc592e5951df58c685973aa2c7ef647

SHA512
4f9d2a27204a3de6c07cee8ca38ede297a34c3c320b97cf477732bbbdb9ddca028be747e404b9e3d722278991a36ebc45bd7bd47e34719449d9cee3fb43790bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe

Filesize
377KB

MD5
60431a01946a01c11b9a297eac8a75c2

SHA1
7c5862d45e94a37880a7aa483cdf660378cf4dd7

SHA256
6b937893ebc175451cf8ffd1e3fc966dccc592e5951df58c685973aa2c7ef647

SHA512
4f9d2a27204a3de6c07cee8ca38ede297a34c3c320b97cf477732bbbdb9ddca028be747e404b9e3d722278991a36ebc45bd7bd47e34719449d9cee3fb43790bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe

Filesize
460KB

MD5
c00b93abc817e4539603846c8f604e4b

SHA1
fb95971e267734f1ff653672fe91ac35f408853e

SHA256
366ca24894ad83193b0edfea101bc41859eb2e25ae4b2b418c0241493940531e

SHA512
c6ae3ab24dcc4117c61ae30798d1c49049014ccd09dfea3120d16ab4c7f56be300a283fc1bfe65df089e9e25b6ea8e4a4f874e93a13dec0b46b314352a44d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe

Filesize
460KB

MD5
c00b93abc817e4539603846c8f604e4b

SHA1
fb95971e267734f1ff653672fe91ac35f408853e

SHA256
366ca24894ad83193b0edfea101bc41859eb2e25ae4b2b418c0241493940531e

SHA512
c6ae3ab24dcc4117c61ae30798d1c49049014ccd09dfea3120d16ab4c7f56be300a283fc1bfe65df089e9e25b6ea8e4a4f874e93a13dec0b46b314352a44d1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe

Filesize
460KB

MD5
c00b93abc817e4539603846c8f604e4b

SHA1
fb95971e267734f1ff653672fe91ac35f408853e

SHA256
366ca24894ad83193b0edfea101bc41859eb2e25ae4b2b418c0241493940531e

SHA512
c6ae3ab24dcc4117c61ae30798d1c49049014ccd09dfea3120d16ab4c7f56be300a283fc1bfe65df089e9e25b6ea8e4a4f874e93a13dec0b46b314352a44d1e6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg534520.exe

Filesize
764KB

MD5
ce1699ce802bc23b393c24e636a51762

SHA1
4307fb8994f1c9769146a134d215ec7954080ef3

SHA256
39ce43ee14751ef373bc888b8754db2aa49049dd6cb14548106570c351a2a050

SHA512
a5463f847b43e9c5e24a5d396655378d7c0ab214e6659f8bba54f693127426082c54eb810e0b75e0dcb152df09e36d690c7c519d19fd6cf5e689948eb0769a12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\jg534520.exe

Filesize
764KB

MD5
ce1699ce802bc23b393c24e636a51762

SHA1
4307fb8994f1c9769146a134d215ec7954080ef3

SHA256
39ce43ee14751ef373bc888b8754db2aa49049dd6cb14548106570c351a2a050

SHA512
a5463f847b43e9c5e24a5d396655378d7c0ab214e6659f8bba54f693127426082c54eb810e0b75e0dcb152df09e36d690c7c519d19fd6cf5e689948eb0769a12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\NF964145.exe

Filesize
592KB

MD5
2d29f9d3224b387a1d5f5354ba161687

SHA1
31dc996ccf26661fc0db2b751a8beac368a4b98d

SHA256
b2dfdf6757a8314e140d0980a336c0ddf349a1b10e7c98e72b5a47b754705c7a

SHA512
be64999182ef53711e090e3f8f788ef2c0c27aa5b33c82c76b4a43840250d4ad0044b467f290c046d4bae70c727af4394bf75fa850d90977d08653ca0a010957

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\NF964145.exe

Filesize
592KB

MD5
2d29f9d3224b387a1d5f5354ba161687

SHA1
31dc996ccf26661fc0db2b751a8beac368a4b98d

SHA256
b2dfdf6757a8314e140d0980a336c0ddf349a1b10e7c98e72b5a47b754705c7a

SHA512
be64999182ef53711e090e3f8f788ef2c0c27aa5b33c82c76b4a43840250d4ad0044b467f290c046d4bae70c727af4394bf75fa850d90977d08653ca0a010957

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe

Filesize
377KB

MD5
60431a01946a01c11b9a297eac8a75c2

SHA1
7c5862d45e94a37880a7aa483cdf660378cf4dd7

SHA256
6b937893ebc175451cf8ffd1e3fc966dccc592e5951df58c685973aa2c7ef647

SHA512
4f9d2a27204a3de6c07cee8ca38ede297a34c3c320b97cf477732bbbdb9ddca028be747e404b9e3d722278991a36ebc45bd7bd47e34719449d9cee3fb43790bc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe

Filesize
377KB

MD5
60431a01946a01c11b9a297eac8a75c2

SHA1
7c5862d45e94a37880a7aa483cdf660378cf4dd7

SHA256
6b937893ebc175451cf8ffd1e3fc966dccc592e5951df58c685973aa2c7ef647

SHA512
4f9d2a27204a3de6c07cee8ca38ede297a34c3c320b97cf477732bbbdb9ddca028be747e404b9e3d722278991a36ebc45bd7bd47e34719449d9cee3fb43790bc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\186071140.exe

Filesize
377KB

MD5
60431a01946a01c11b9a297eac8a75c2

SHA1
7c5862d45e94a37880a7aa483cdf660378cf4dd7

SHA256
6b937893ebc175451cf8ffd1e3fc966dccc592e5951df58c685973aa2c7ef647

SHA512
4f9d2a27204a3de6c07cee8ca38ede297a34c3c320b97cf477732bbbdb9ddca028be747e404b9e3d722278991a36ebc45bd7bd47e34719449d9cee3fb43790bc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe

Filesize
460KB

MD5
c00b93abc817e4539603846c8f604e4b

SHA1
fb95971e267734f1ff653672fe91ac35f408853e

SHA256
366ca24894ad83193b0edfea101bc41859eb2e25ae4b2b418c0241493940531e

SHA512
c6ae3ab24dcc4117c61ae30798d1c49049014ccd09dfea3120d16ab4c7f56be300a283fc1bfe65df089e9e25b6ea8e4a4f874e93a13dec0b46b314352a44d1e6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe

Filesize
460KB

MD5
c00b93abc817e4539603846c8f604e4b

SHA1
fb95971e267734f1ff653672fe91ac35f408853e

SHA256
366ca24894ad83193b0edfea101bc41859eb2e25ae4b2b418c0241493940531e

SHA512
c6ae3ab24dcc4117c61ae30798d1c49049014ccd09dfea3120d16ab4c7f56be300a283fc1bfe65df089e9e25b6ea8e4a4f874e93a13dec0b46b314352a44d1e6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\212864947.exe

Filesize
460KB

MD5
c00b93abc817e4539603846c8f604e4b

SHA1
fb95971e267734f1ff653672fe91ac35f408853e

SHA256
366ca24894ad83193b0edfea101bc41859eb2e25ae4b2b418c0241493940531e

SHA512
c6ae3ab24dcc4117c61ae30798d1c49049014ccd09dfea3120d16ab4c7f56be300a283fc1bfe65df089e9e25b6ea8e4a4f874e93a13dec0b46b314352a44d1e6

Download Submit
memory/976-120-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-96-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-100-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-102-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-104-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-106-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-108-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-110-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-112-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-114-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-116-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-118-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-98-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-122-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-123-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/976-124-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/976-126-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/976-95-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/976-94-0x00000000025A0000-0x00000000025B8000-memory.dmp

Filesize
96KB

Download
memory/976-93-0x00000000026C0000-0x0000000002700000-memory.dmp

Filesize
256KB

Download
memory/976-91-0x00000000003D0000-0x00000000003EA000-memory.dmp

Filesize
104KB

Download
memory/976-89-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/976-88-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/1596-137-0x00000000023B0000-0x00000000023EC000-memory.dmp

Filesize
240KB

Download
memory/1596-138-0x00000000024E0000-0x000000000251A000-memory.dmp

Filesize
232KB

Download
memory/1596-139-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-140-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-142-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-146-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-148-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-152-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-154-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-158-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-162-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-166-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-168-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-164-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-160-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-156-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-150-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-144-0x00000000024E0000-0x0000000002515000-memory.dmp

Filesize
212KB

Download
memory/1596-374-0x0000000000290000-0x00000000002D6000-memory.dmp

Filesize
280KB

Download
memory/1596-375-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1596-377-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1596-934-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1596-936-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1596-937-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download