7b36d5c731b8c79f9d6f087bb15cded1b8243c359329a98c0d215afe93f75410

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SenPalia.exe
Size

131.9MB
MD5

56f5eb184d9c8d9ef0f53690bf3c6a3e
SHA1

086699f8101941be8f7aedb3951668c1f6c7a667
SHA256

00237586cf58e51aa11e0d72daf9c03384de0aa78859df8ecde9814f3df4b432
SHA512

f12cf1ec721ebe366ebe1516479a9d7f8115846ffe89b056a2793089a3c9526dd3dc46b8575f8a9e0f2ab2cc0c965b8dc5d819a0f86132976b4edf34563c5f0c
SSDEEP

1572864:s4sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCV3:xl/BkVVPBDgmPKa5Wnu3X7

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
448	SenPalia.exe
448	SenPalia.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ipinfo.io
33	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SenPalia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	SenPalia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SenPalia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	SenPalia.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SenPalia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SenPalia.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SenPalia.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
1928	tasklist.exe
4956	tasklist.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5072	powershell.exe
3188	powershell.exe
4492	powershell.exe
4492	powershell.exe
4736	SenPalia.exe
4736	SenPalia.exe
3188	powershell.exe
3188	powershell.exe
5072	powershell.exe
5072	powershell.exe
4492	powershell.exe
4476	SenPalia.exe
4476	SenPalia.exe
4476	SenPalia.exe
4476	SenPalia.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeIncreaseQuotaPrivilege	3188	powershell.exe
Token: SeSecurityPrivilege	3188	powershell.exe
Token: SeTakeOwnershipPrivilege	3188	powershell.exe
Token: SeLoadDriverPrivilege	3188	powershell.exe
Token: SeSystemProfilePrivilege	3188	powershell.exe
Token: SeSystemtimePrivilege	3188	powershell.exe
Token: SeProfSingleProcessPrivilege	3188	powershell.exe
Token: SeIncBasePriorityPrivilege	3188	powershell.exe
Token: SeCreatePagefilePrivilege	3188	powershell.exe
Token: SeBackupPrivilege	3188	powershell.exe
Token: SeRestorePrivilege	3188	powershell.exe
Token: SeShutdownPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeSystemEnvironmentPrivilege	3188	powershell.exe
Token: SeRemoteShutdownPrivilege	3188	powershell.exe
Token: SeUndockPrivilege	3188	powershell.exe
Token: SeManageVolumePrivilege	3188	powershell.exe
Token: 33	3188	powershell.exe
Token: 34	3188	powershell.exe
Token: 35	3188	powershell.exe
Token: 36	3188	powershell.exe
Token: SeIncreaseQuotaPrivilege	5072	powershell.exe
Token: SeSecurityPrivilege	5072	powershell.exe
Token: SeTakeOwnershipPrivilege	5072	powershell.exe
Token: SeLoadDriverPrivilege	5072	powershell.exe
Token: SeSystemProfilePrivilege	5072	powershell.exe
Token: SeSystemtimePrivilege	5072	powershell.exe
Token: SeProfSingleProcessPrivilege	5072	powershell.exe
Token: SeIncBasePriorityPrivilege	5072	powershell.exe
Token: SeCreatePagefilePrivilege	5072	powershell.exe
Token: SeBackupPrivilege	5072	powershell.exe
Token: SeRestorePrivilege	5072	powershell.exe
Token: SeShutdownPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeSystemEnvironmentPrivilege	5072	powershell.exe
Token: SeRemoteShutdownPrivilege	5072	powershell.exe
Token: SeUndockPrivilege	5072	powershell.exe
Token: SeManageVolumePrivilege	5072	powershell.exe
Token: 33	5072	powershell.exe
Token: 34	5072	powershell.exe
Token: 35	5072	powershell.exe
Token: 36	5072	powershell.exe
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeDebugPrivilege	1928	tasklist.exe
Token: SeDebugPrivilege	4956	tasklist.exe
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeShutdownPrivilege	448	SenPalia.exe
Token: SeCreatePagefilePrivilege	448	SenPalia.exe
Token: SeShutdownPrivilege	448	SenPalia.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 1780	448	SenPalia.exe	87
PID 448 wrote to memory of 1780	448	SenPalia.exe	87
PID 448 wrote to memory of 1780	448	SenPalia.exe	87
PID 1780 wrote to memory of 368	1780	cmd.exe	89
PID 1780 wrote to memory of 368	1780	cmd.exe	89
PID 1780 wrote to memory of 368	1780	cmd.exe	89
PID 448 wrote to memory of 1680	448	SenPalia.exe	111
PID 448 wrote to memory of 1680	448	SenPalia.exe	111
PID 448 wrote to memory of 1680	448	SenPalia.exe	111
PID 448 wrote to memory of 5072	448	SenPalia.exe	92
PID 448 wrote to memory of 5072	448	SenPalia.exe	92
PID 448 wrote to memory of 5072	448	SenPalia.exe	92
PID 448 wrote to memory of 3188	448	SenPalia.exe	94
PID 448 wrote to memory of 3188	448	SenPalia.exe	94
PID 448 wrote to memory of 3188	448	SenPalia.exe	94
PID 448 wrote to memory of 4492	448	SenPalia.exe	95
PID 448 wrote to memory of 4492	448	SenPalia.exe	95
PID 448 wrote to memory of 4492	448	SenPalia.exe	95
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4440	448	SenPalia.exe	98
PID 448 wrote to memory of 4736	448	SenPalia.exe	99
PID 448 wrote to memory of 4736	448	SenPalia.exe	99
PID 448 wrote to memory of 4736	448	SenPalia.exe	99
PID 448 wrote to memory of 4340	448	SenPalia.exe	101
PID 448 wrote to memory of 4340	448	SenPalia.exe	101
PID 448 wrote to memory of 4340	448	SenPalia.exe	101
PID 4340 wrote to memory of 3968	4340	cmd.exe	103
PID 4340 wrote to memory of 3968	4340	cmd.exe	103
PID 4340 wrote to memory of 3968	4340	cmd.exe	103
PID 448 wrote to memory of 1868	448	SenPalia.exe	104
PID 448 wrote to memory of 1868	448	SenPalia.exe	104
PID 448 wrote to memory of 1868	448	SenPalia.exe	104
PID 1868 wrote to memory of 2688	1868	cmd.exe	106
PID 1868 wrote to memory of 2688	1868	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
"C:\Users\Admin\AppData\Local\Temp\SenPalia.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:1680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
  "C:\Users\Admin\AppData\Local\Temp\SenPalia.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\SenPalia" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=1880,i,9156852250474165058,11778037339475529572,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
  "C:\Users\Admin\AppData\Local\Temp\SenPalia.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\SenPalia" --mojo-platform-channel-handle=2140 --field-trial-handle=1880,i,9156852250474165058,11778037339475529572,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Windows\SysWOW64\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SysWOW64\where.exe
    where /r . *.sqlite
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3600
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  PID:1176
- - C:\Windows\SysWOW64\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:432
- C:\Users\Admin\AppData\Local\Temp\SenPalia.exe
  "C:\Users\Admin\AppData\Local\Temp\SenPalia.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\SenPalia" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1072 --field-trial-handle=1880,i,9156852250474165058,11778037339475529572,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6ef1ee07865201ee53d9998ed1ec394e

SHA1
d33f4b751c38a0bc6c20516ec3c131b17b72a68f

SHA256
ca596afc4b092d0fc06d63d64b8e98790e3246b975763b72bfd2c185dbf546a3

SHA512
13315a7f1defdba4284f7e7a2250f3757f693f2891ca221ff251b4fe517c91866929f1b6992aea92ca7cdc96bc91ecb62b68f0e766d6d6a8ff5fad7041dc91d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
839517145a625753b1d18e0eed11d4b2

SHA1
29b0c81958fba4ceff784a06b2c827747d98dff7

SHA256
fe0ac9b123d41e4045dfe9962e3eaf09e7435a194f4cf08af4fdbdfdc904d80a

SHA512
87003c24e0127ef75d5b1eff554e228059cac4887c698a2aab5c8862985875abf159651a3b8f86dd048919dcc14ed03a019c8c0f0bdc8ee08b60e5d59dadba2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
74885dd19052314aebc83c5e5580e0b7

SHA1
86aaba829a855587484cecb78d8da876158665a8

SHA256
2ef239b270f136c576de0ed5cdd702d3ff9c5e9142b6cd4839605fda105d2454

SHA512
8614695b4c1de82a259e436aaeaf4e1291b24c72549d989f44de4190d2df372856230c626658502c7181b7f880dc3ca2f2c8a4eef649a209743dad3dd6847934

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f6eb72d-c71f-469f-88d8-b408b54c9d68.tmp.node

Filesize
95KB

MD5
7810c43e0fc41cdc4c3edda1a4b690de

SHA1
d942c78ce83b0b9a49df72863278aedf08e66383

SHA256
7b4f01b553e7679883be6386afe834d38d0ff4ee70478b3ee777c95d94c2b1bb

SHA512
785d4a7d56d8a89c46eaa2d901deb49016bf9c963f9ba69110076f218d6c7af5005c99c9d40b915120c9d7e09acc036b57c2e767f1d31d28896760c1b62eb9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_unhd32qj.4tu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a01156a8-19ce-4d5d-9d8d-a5c3f1b83696.tmp.node

Filesize
1.5MB

MD5
bfaf25928dfce494f87c917bae87f6fe

SHA1
1fd1e034829d52fc22dd51325a6f70730e75ed04

SHA256
9e969f793ebb2d7c3c0870fc3ea2d1caf4412a6f4471f229054880dab5a28636

SHA512
06801ff0d6addc88a3c71d31307c1a3cd8a7e773f877e2a8c5aaebdef5668eb7e8fb486baa56aa2055d4cce9c4d878dd30531fa09828fc5eab34a6b0ded9fb31

Download Submit
memory/3188-77-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3188-56-0x0000000007230000-0x00000000072A6000-memory.dmp

Filesize
472KB

Download
memory/3188-23-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3188-29-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/3188-98-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3188-105-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/3188-30-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/3188-83-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/3188-35-0x0000000005A10000-0x0000000005A76000-memory.dmp

Filesize
408KB

Download
memory/3188-52-0x0000000005AE0000-0x0000000005E34000-memory.dmp

Filesize
3.3MB

Download
memory/3188-12-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/3188-78-0x0000000007500000-0x00000000075A3000-memory.dmp

Filesize
652KB

Download
memory/3188-53-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/3188-66-0x000000006C5A0000-0x000000006C5EC000-memory.dmp

Filesize
304KB

Download
memory/3188-55-0x0000000006EC0000-0x0000000006F04000-memory.dmp

Filesize
272KB

Download
memory/3188-96-0x000000006C710000-0x000000006CA64000-memory.dmp

Filesize
3.3MB

Download
memory/3188-58-0x00000000072D0000-0x00000000072EA000-memory.dmp

Filesize
104KB

Download
memory/3188-13-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/3188-64-0x000000007F350000-0x000000007F360000-memory.dmp

Filesize
64KB

Download
memory/3188-63-0x00000000074A0000-0x00000000074D2000-memory.dmp

Filesize
200KB

Download
memory/3188-76-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/4476-128-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-129-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-130-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-123-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-124-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-122-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-132-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-131-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-134-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4476-133-0x000000000EFA0000-0x000000000EFA1000-memory.dmp

Filesize
4KB

Download
memory/4492-54-0x0000000006760000-0x00000000067AC000-memory.dmp

Filesize
304KB

Download
memory/4492-57-0x0000000007C10000-0x000000000828A000-memory.dmp

Filesize
6.5MB

Download
memory/4492-49-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4492-51-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/4492-14-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/4492-62-0x0000000008840000-0x0000000008DE4000-memory.dmp

Filesize
5.6MB

Download
memory/4492-65-0x00000000077A0000-0x0000000007832000-memory.dmp

Filesize
584KB

Download
memory/4492-82-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/4492-11-0x0000000004C40000-0x0000000004C76000-memory.dmp

Filesize
216KB

Download
memory/5072-81-0x000000006C5A0000-0x000000006C5EC000-memory.dmp

Filesize
304KB

Download
memory/5072-17-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5072-106-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/5072-94-0x0000000007490000-0x00000000074BA000-memory.dmp

Filesize
168KB

Download
memory/5072-97-0x000000006C710000-0x000000006CA64000-memory.dmp

Filesize
3.3MB

Download
memory/5072-16-0x0000000072C70000-0x0000000073420000-memory.dmp

Filesize
7.7MB

Download
memory/5072-99-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5072-95-0x00000000074C0000-0x00000000074E4000-memory.dmp

Filesize
144KB

Download
memory/5072-36-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/5072-15-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download