a310logger | 139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72

Analysis

max time kernel
155s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bb1c29f4a8c046e798cd9781cc127a7.exe
Size

876KB
MD5

0bb1c29f4a8c046e798cd9781cc127a7
SHA1

bbad89c8d04b20f63d36014f00ded3818e595a53
SHA256

139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72
SHA512

4b439bd85c725f104be24956525a6ae1a16dba28fe254695cbd667933d0cce2225e9a0f934ef17e1f5ef65ac033aa6ed72d016e3bed0bf270dd3d1eef12de63f
SSDEEP

12288:+nkguFRskuUAlWC/44toU73kJiIWK4vV9BrFZsk1q1/1Yah2UKbnltqvTmDcN:0kEkuUAlV46zbk6K6VVZsuSYgF+qvH

Score

10^/10

a310logger blustealer collection spyware stealer

Malware Config

Extracted

Family

blustealer

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
@@@@@@

Signatures

A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware a310logger
BluStealer
A Modular information stealer written in Visual Basic.
stealer blustealer

A310logger Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe	a310logger
behavioral2/memory/2552-51-0x0000000000B70000-0x0000000000C22000-memory.dmp	a310logger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	0bb1c29f4a8c046e798cd9781cc127a7.exe

Executes dropped EXE 1 IoCs

Processes:

Fox.exe

pid process

2552 Fox.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2552	Fox.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe
Key opened	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of SetThreadContext 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

description pid process target process

PID 4976 set thread context of 4812 4976 0bb1c29f4a8c046e798cd9781cc127a7.exe 0bb1c29f4a8c046e798cd9781cc127a7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2012 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

pid process

4812 0bb1c29f4a8c046e798cd9781cc127a7.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

pid process

4812 0bb1c29f4a8c046e798cd9781cc127a7.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe

pid process

4812 0bb1c29f4a8c046e798cd9781cc127a7.exe

description	pid	process	target process
PID 4976 set thread context of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe

pid	process
2012	schtasks.exe

pid	process
4812	0bb1c29f4a8c046e798cd9781cc127a7.exe

pid	process
4812	0bb1c29f4a8c046e798cd9781cc127a7.exe

pid	process
4812	0bb1c29f4a8c046e798cd9781cc127a7.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

0bb1c29f4a8c046e798cd9781cc127a7.exe0bb1c29f4a8c046e798cd9781cc127a7.exe

description	pid	process	target process
PID 4976 wrote to memory of 2012	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	schtasks.exe
PID 4976 wrote to memory of 2012	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	schtasks.exe
PID 4976 wrote to memory of 2012	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	schtasks.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4976 wrote to memory of 4812	4976	0bb1c29f4a8c046e798cd9781cc127a7.exe	0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 4812 wrote to memory of 2552	4812	0bb1c29f4a8c046e798cd9781cc127a7.exe	Fox.exe
PID 4812 wrote to memory of 2552	4812	0bb1c29f4a8c046e798cd9781cc127a7.exe	Fox.exe

outlook_office_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

outlook_win_path 1 IoCs

Processes:

Fox.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Fox.exe

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp558D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
  "{path}"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - outlook_office_path
    - outlook_win_path
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp558D.tmp

Filesize
1KB

MD5
46ef3f78745a6fcef03d424863df4f5f

SHA1
7c6445e114a49e56c43fdeffdada3a27a1955e26

SHA256
f092902dfd7a2433377b0f5aaa7bba18601f4cfe2bb559cc13960c35e0d05d49

SHA512
907eac8092ead453974f6e95e62e52b4da8c2549e280c3f250c787b4a6617def91b0ebaf3ef36226c3a6ccbf509777380bce8747cf2d7d1fc0d5f7cd1337fdb7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\F6NDNHWCM2.zip

Filesize
285KB

MD5
40a9752d59f2883e40d928f85a749008

SHA1
c60fb58eff64a7969b46f3934766f991352eeb47

SHA256
ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820

SHA512
ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip

Filesize
24B

MD5
98a833e15d18697e8e56cdafb0642647

SHA1
e5f94d969899646a3d4635f28a7cd9dd69705887

SHA256
ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c

SHA512
c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip

Filesize
24KB

MD5
4beacb06c06c4248656da2918197bd4e

SHA1
d4bd54dec65737ff674857ab9335294500536da6

SHA256
b08ba29edc1b7861d16c3677bda1afcd6c5e9acc16e1c29a86219f7a19c3b8a8

SHA512
3e3dc6ead15603501ca5b7276b70be9d1037cff236eba7d26d5d6a5ead1bf5db458477415a4bc106c00f8e74b7d10b181dfb469516cda6892acb8bf4fe8a5a87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\CloseConvertFrom.txt

Filesize
39KB

MD5
809603ee8e1f100e0f0598f1d384529b

SHA1
47e02ec9f672210297a6b462cda2b763feebe665

SHA256
dcce5827065be416162ac53e61fb9667beefdbbd588f9ede78089472efcdc2d1

SHA512
fc848037e59e180c12a579c235489aee62fb3f21249b9daba92187bdd332d0fdff31044542df3fd0b760e776ea8d3edce64bd0e61f2b3ec143aa5e3ab56d5155

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ConvertGroup.pdf

Filesize
57KB

MD5
a8e530725428064bb5cbcf32c40a0e7d

SHA1
81e7ab9a51921276f4e1ca4a3a9a225936328578

SHA256
a258350a82087efe600611f6bd42a804b1e605ae6d70ce37e8a8e4c05e82950f

SHA512
3e81c30134902d457f05c2e5ecb0bf1f84694085cc8a2b5f38e1fb3779e991c5955a7c68c1bb0cd599e208eae968425c8be6ae6fc569250749066eee608a0036

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ConvertShow.pdf

Filesize
75KB

MD5
d450d7eded49b69964360e3e48b0aa5d

SHA1
51acb81d0d2ac189b4bac7ad3712bce700c14046

SHA256
7dbc1b9beb1c6deecf917d8a3fe063618dcef813c17efac33c17dee59b52ecbb

SHA512
49f4598aea58b5aae26819bba58d5b9b181a2bfd434ad4ec2382e2288db0e21326e0d2e337386475e3a4d821b89f2dd633e7dbbc2d9d49fb2ee9ffae12386899

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\GroupMeasure.xlsm

Filesize
13KB

MD5
c83f69954a49110235f5761783d9f76d

SHA1
07a8efdbb529076faf9bd4b57f6b4a6af0115bd0

SHA256
aeb9f099ba37bbdc9effb4dd84c5295a83eec5259bf55e3a432db6da8fe76f83

SHA512
a41d691f9ebee6a0edb39547059e7dd143b141b1f13f8d04a0b2088148a558fe151e94ac2d92dd7a149f393f5a1a1001b0497e4e64a0fc7d62a4339a035721de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\InitializePing.rtf

Filesize
34KB

MD5
778e381b204c651a0ac701186728e746

SHA1
e92cd8d95bfcf1a0d1a5273cb91c75a68c4a3de7

SHA256
d1129fd3950185d5f1b009aa334d4d428affe74cdc0720f433a7e66a0b27acb3

SHA512
17246359409b1a5df507f24bd1bc07d75b569bfd602409b5b6bde8ca5a9a23ab39ffbb6b9e19c099bd8901cb42d06a718f8d1faf2a5cc9531ca4b75a3f8a9a23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\MergeRegister.docx

Filesize
114KB

MD5
148c67f444d15b0337d8109db054ef87

SHA1
f5fecd5ec70ab12e755b0d4844f2df60e5735723

SHA256
957cceb91bc377042887a16a6c6ae4abacb213320855fdf0a5a7bac721a0c628

SHA512
082d10a3c52e03508008e73f39c2c7718b17c53a7b69e2f9e2a29052302248f83ca399854d96474c2c92fb03d25544275d4b4b73e260735d0005281e76f34f92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\PublishEnter.xlsx

Filesize
125KB

MD5
0cf0b9f0ef01699ca92093809e3b5bf0

SHA1
76e1adc5b7fdf2d421cefe5d72d6aaa96a60f989

SHA256
87dee080e29392b28126ddbc8b989341a36026fe9d8b2e0f2ea414187f1f9a34

SHA512
f2905bc951fdcf8fb4498d9ac1a5e3604601ab2d96324073af5682016e3250da75f689a32f712a29c70aae97fb4063d9a5329f0567a2ad6b209d40c26b5c933b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\RevokeConnect.rtf

Filesize
126KB

MD5
dc277201e7c9af1c09742790c9a31a38

SHA1
20a1b06e65a6ff0af45fa319f52fa8607357fd95

SHA256
bee55164da9777dfd865547031d85c1028cc36396a1f1a1db7504bfea7daecf0

SHA512
521a47dafc7785435040a49d60a649b090ef9e286844ab9134433e5367082e1cd29ff7921b1b3f4c82c40b78d8f65f1a2ed5d13ac1af01129a9dd0914b157c8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\StepRevoke.xlsm

Filesize
27KB

MD5
bd3b3e35399037a2150cc1bb65109935

SHA1
fe36cb9c0c410413c688ba3e61ee96dfd97899bf

SHA256
ffafd2467194f3d450c68e795d0f9592e8d011f7fd34479a43b569db23a86ffb

SHA512
67c591ecfe6f2a3b1167724b8e895109736be7e45d74ce3753592eacbb4c87e060a4d26049483659707709b2dd7af4936a7816105e946c022901999438384f21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SuspendUndo.xls

Filesize
21KB

MD5
6d20af45ebe2882d4b424218847a4f9a

SHA1
73b3f76842ed9d3b26a954072c0e272519a44389

SHA256
d1348805c9fc16898e06b98fb8b19b57008cfbfe8eb4ca6c7fbeb5c42f24ece2

SHA512
3b333c93b675375052f3178ca084872d37131f0c469cbf2ca2e969b9fc07d673fec912faae8b433dccc79061b16036d7a5f3bd88f41240e4a31a51a96ab37eff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Filesize
689KB

MD5
91b41651e6e9ab352805c6d35a297d08

SHA1
11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e

SHA256
0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723

SHA512
b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

Filesize
691B

MD5
055c857272026583a61e1b5821c69a24

SHA1
ec39d34f16487682801dd2b319554cbed57feca4

SHA256
190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84

SHA512
d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

Download Submit
memory/2552-53-0x000000001B910000-0x000000001B920000-memory.dmp

Filesize
64KB

Download
memory/2552-52-0x00007FF8E6D60000-0x00007FF8E7821000-memory.dmp

Filesize
10.8MB

Download
memory/2552-51-0x0000000000B70000-0x0000000000C22000-memory.dmp

Filesize
712KB

Download
memory/2552-61-0x00007FF8E6D60000-0x00007FF8E7821000-memory.dmp

Filesize
10.8MB

Download
memory/4812-15-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4812-184-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4812-18-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4976-10-0x0000000007960000-0x0000000007A1E000-memory.dmp

Filesize
760KB

Download
memory/4976-11-0x0000000009EB0000-0x0000000009F22000-memory.dmp

Filesize
456KB

Download
memory/4976-19-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/4976-9-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4976-8-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download
memory/4976-7-0x0000000005EE0000-0x0000000005F7C000-memory.dmp

Filesize
624KB

Download
memory/4976-6-0x0000000005180000-0x0000000005188000-memory.dmp

Filesize
32KB

Download
memory/4976-5-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/4976-4-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

Filesize
64KB

Download
memory/4976-3-0x0000000004C00000-0x0000000004C92000-memory.dmp

Filesize
584KB

Download
memory/4976-2-0x00000000051B0000-0x0000000005754000-memory.dmp

Filesize
5.6MB

Download
memory/4976-1-0x0000000000110000-0x00000000001F2000-memory.dmp

Filesize
904KB

Download
memory/4976-0-0x00000000751D0000-0x0000000075980000-memory.dmp

Filesize
7.7MB

Download