328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746

Analysis

max time kernel
229s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
06/05/2023, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe
Size

1.7MB
MD5

f4701f9871797d251fa8837d71cb94ea
SHA1

9c1ce58dfcbb3a6ee9ee17a2ed7e369b36e37ef7
SHA256

328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746
SHA512

f362c011a9584b16e7a272db833856e9f6d800868b9981540c18a289972e287c3950a03ca7d7795f5df19d15383442260c78f240887057f5acf20c06c332429a
SSDEEP

24576:FyK2m12zmxbNW4WMH/6qXH5tmhRmDdpr9TbT+AqnUWwZQjhytC/3HdSp33BQ:gC5bs4WAXXZt8ROTP+cWjzPHdeH

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	a40849490.exe

Executes dropped EXE 7 IoCs

pid	Process
5004	KT440273.exe
3076	ef986775.exe
3868	RR361855.exe
5040	BL139447.exe
4996	a40849490.exe
2708	1.exe
4548	b15353844.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	KT440273.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ef986775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	RR361855.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	BL139447.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	KT440273.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ef986775.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	RR361855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	BL139447.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3064	4548	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2708	1.exe
2708	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	a40849490.exe
Token: SeDebugPrivilege	2708	1.exe
Token: SeDebugPrivilege	4548	b15353844.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 5004	1692	328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe	79
PID 1692 wrote to memory of 5004	1692	328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe	79
PID 1692 wrote to memory of 5004	1692	328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe	79
PID 5004 wrote to memory of 3076	5004	KT440273.exe	80
PID 5004 wrote to memory of 3076	5004	KT440273.exe	80
PID 5004 wrote to memory of 3076	5004	KT440273.exe	80
PID 3076 wrote to memory of 3868	3076	ef986775.exe	81
PID 3076 wrote to memory of 3868	3076	ef986775.exe	81
PID 3076 wrote to memory of 3868	3076	ef986775.exe	81
PID 3868 wrote to memory of 5040	3868	RR361855.exe	82
PID 3868 wrote to memory of 5040	3868	RR361855.exe	82
PID 3868 wrote to memory of 5040	3868	RR361855.exe	82
PID 5040 wrote to memory of 4996	5040	BL139447.exe	83
PID 5040 wrote to memory of 4996	5040	BL139447.exe	83
PID 5040 wrote to memory of 4996	5040	BL139447.exe	83
PID 4996 wrote to memory of 2708	4996	a40849490.exe	86
PID 4996 wrote to memory of 2708	4996	a40849490.exe	86
PID 5040 wrote to memory of 4548	5040	BL139447.exe	87
PID 5040 wrote to memory of 4548	5040	BL139447.exe	87
PID 5040 wrote to memory of 4548	5040	BL139447.exe	87

C:\Users\Admin\AppData\Local\Temp\328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe
"C:\Users\Admin\AppData\Local\Temp\328285beaa8c87f6d93d10b98ce2e28b20485d91f24e09833a81fcdd572b8746.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KT440273.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KT440273.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ef986775.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ef986775.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RR361855.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RR361855.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BL139447.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BL139447.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40849490.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40849490.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\Temp\1.exe
        
        "C:\Windows\Temp\1.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15353844.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15353844.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1268
        7⤵
        Program crash
        
        PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4548 -ip 4548
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KT440273.exe

Filesize
1.4MB

MD5
0a1f898b2a86b1cef3c7815f2669c79a

SHA1
5c100e11a604186bbef2f05117c3cf5d9c6f995f

SHA256
3e18a7ccaf8a0fac67481ab76ba02b6091196626551ab039ce07318553db7323

SHA512
115aaa82e856cd25bfdaff9887877a18189d5b32f3bf7da5d7c2d5ad5eefb372230d176da3d4f4b9881f5ddd1b8151b815f79b4260d8037ad11c65a32bbbc054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\KT440273.exe

Filesize
1.4MB

MD5
0a1f898b2a86b1cef3c7815f2669c79a

SHA1
5c100e11a604186bbef2f05117c3cf5d9c6f995f

SHA256
3e18a7ccaf8a0fac67481ab76ba02b6091196626551ab039ce07318553db7323

SHA512
115aaa82e856cd25bfdaff9887877a18189d5b32f3bf7da5d7c2d5ad5eefb372230d176da3d4f4b9881f5ddd1b8151b815f79b4260d8037ad11c65a32bbbc054

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ef986775.exe

Filesize
1.3MB

MD5
82e815109b67b7079249bddd325254eb

SHA1
7388289429b93350ad3c3caf7467aebc680e0212

SHA256
4387e899267c8510ded6cebd29c36abfaba332e43b50578ccd2209432d00e71d

SHA512
9543995f20728b097f93d1c0bfeb3973671bc5aadfe5e6b14f75b223364c8c405c0dd0cd8806725250b61c09b153876a3a6cb054dac265509a81d04c21e8e846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ef986775.exe

Filesize
1.3MB

MD5
82e815109b67b7079249bddd325254eb

SHA1
7388289429b93350ad3c3caf7467aebc680e0212

SHA256
4387e899267c8510ded6cebd29c36abfaba332e43b50578ccd2209432d00e71d

SHA512
9543995f20728b097f93d1c0bfeb3973671bc5aadfe5e6b14f75b223364c8c405c0dd0cd8806725250b61c09b153876a3a6cb054dac265509a81d04c21e8e846

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RR361855.exe

Filesize
851KB

MD5
c7e022ad8dafbfdd9ebecff1f10da219

SHA1
20260f9c09f47836fc607f35df8ecc54d5302c92

SHA256
ad9794232b1194088a28c0f1d6807b4bb7dc67dca3e411c7a1126a565ad7f2ff

SHA512
9177401c892707073c48c3793c9ca0887ad53e10083a630c0c3c89e2e91eb23ad9045fded0db64b8b57bfd716f9fff3d46458f217c72cc1ae9a5b073463c70a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\RR361855.exe

Filesize
851KB

MD5
c7e022ad8dafbfdd9ebecff1f10da219

SHA1
20260f9c09f47836fc607f35df8ecc54d5302c92

SHA256
ad9794232b1194088a28c0f1d6807b4bb7dc67dca3e411c7a1126a565ad7f2ff

SHA512
9177401c892707073c48c3793c9ca0887ad53e10083a630c0c3c89e2e91eb23ad9045fded0db64b8b57bfd716f9fff3d46458f217c72cc1ae9a5b073463c70a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BL139447.exe

Filesize
679KB

MD5
e0e6ffce945ff30cef8bd2b6d1bd6e35

SHA1
745b5bd4c7c51d5bef7a56423535a1e91302d42d

SHA256
ec982611bdf9017fa58b4892ddc352c1c536cdf7db1143ec27e54402aa376829

SHA512
be1a7908dcc6a4b12d50edd475acf2f159edc6009f5b1904d49692b4a803bdccec32b0a758c5482839fe76e1930e435919aeb921c28b2943417e203f844b63a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BL139447.exe

Filesize
679KB

MD5
e0e6ffce945ff30cef8bd2b6d1bd6e35

SHA1
745b5bd4c7c51d5bef7a56423535a1e91302d42d

SHA256
ec982611bdf9017fa58b4892ddc352c1c536cdf7db1143ec27e54402aa376829

SHA512
be1a7908dcc6a4b12d50edd475acf2f159edc6009f5b1904d49692b4a803bdccec32b0a758c5482839fe76e1930e435919aeb921c28b2943417e203f844b63a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40849490.exe

Filesize
300KB

MD5
8d5aadde8827c810ee8f08e3ba7e0336

SHA1
5476117e14d3722e905a4c97c81987bb29086424

SHA256
7694a7c73029d348a70ca93b3d9d7ebdeeda7823c01dd9e9a60732a7bb39a11e

SHA512
97f39244c524eb5096d2da6701d95ec608ad00c69647a215879e88c16a658cb3ff3008ebc09d9dc746e4f5b328260f5ce70c8d62b309493534237cbdb852008c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a40849490.exe

Filesize
300KB

MD5
8d5aadde8827c810ee8f08e3ba7e0336

SHA1
5476117e14d3722e905a4c97c81987bb29086424

SHA256
7694a7c73029d348a70ca93b3d9d7ebdeeda7823c01dd9e9a60732a7bb39a11e

SHA512
97f39244c524eb5096d2da6701d95ec608ad00c69647a215879e88c16a658cb3ff3008ebc09d9dc746e4f5b328260f5ce70c8d62b309493534237cbdb852008c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15353844.exe

Filesize
521KB

MD5
913fe28ca0a4f65c057d5c6b11429755

SHA1
c02261cc93bdc9d0ebdf9e80f5d1a4fe8e3d8366

SHA256
9face85d75011baaa5973044028e0d2d57f832e5b712c3ce4746711c89fdf6eb

SHA512
1149ee5143da6b78a257e5b27fbbe296d41bab96e9f7ec027066b0b1293459b443ac639819da549acd608164e224a47e70bd45d47e200a866a1353f3cd54e669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b15353844.exe

Filesize
521KB

MD5
913fe28ca0a4f65c057d5c6b11429755

SHA1
c02261cc93bdc9d0ebdf9e80f5d1a4fe8e3d8366

SHA256
9face85d75011baaa5973044028e0d2d57f832e5b712c3ce4746711c89fdf6eb

SHA512
1149ee5143da6b78a257e5b27fbbe296d41bab96e9f7ec027066b0b1293459b443ac639819da549acd608164e224a47e70bd45d47e200a866a1353f3cd54e669

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/2708-2320-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/4548-4457-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4548-4456-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4548-4455-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4548-2325-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4548-2324-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4548-2323-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4548-2322-0x0000000000900000-0x000000000094C000-memory.dmp

Filesize
304KB

Download
memory/4548-4460-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/4548-4461-0x0000000002520000-0x0000000002530000-memory.dmp

Filesize
64KB

Download
memory/4996-201-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-227-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-191-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-195-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-193-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-197-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-199-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-187-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-203-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-205-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-207-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-209-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-211-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-213-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-215-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-217-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-219-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-221-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-223-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-225-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-229-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-189-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-231-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-233-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-235-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-2300-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4996-2301-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4996-185-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-183-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-181-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-177-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-179-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-175-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-173-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-172-0x00000000049B0000-0x0000000004A01000-memory.dmp

Filesize
324KB

Download
memory/4996-171-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4996-170-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4996-169-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4996-168-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/4996-2302-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4996-2304-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4996-2305-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download