e0005227c3c8d598d73108b95758f2a64cc92305614bb111d5e9526a1201ed81

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnderWars.exe
Size

131.9MB
MD5

a811c43472e980249aa137fb2b9fc604
SHA1

aba9f6ff196ef106f8ef5f5fc2424084ff498895
SHA256

2e94964b2ba5b21cb2f67f3057586831489ff433637b6bfb7818b5972822e474
SHA512

a6d4a8d6c146e7dace02e617518c026cb84f0fd57122e403b20fff51dab30347b40c3b9d46b2e61572e3cc9e812e6e11755616eba9593683b42f5b48ae46eb99
SSDEEP

1572864:84sMLl/BkZTVV2iplzf+ekzrMdTOG0AfhgojwlwVgmPQtn06H9rejAEdCoIZXCVc:hl/BkVVPBDgmPKa5Wnu3X7

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1460	UnderWars.exe
1460	UnderWars.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	ipinfo.io
32	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	UnderWars.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UnderWars.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	UnderWars.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	UnderWars.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	UnderWars.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	UnderWars.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	UnderWars.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3588	tasklist.exe
2896	tasklist.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2504	powershell.exe
2504	powershell.exe
2000	powershell.exe
2000	powershell.exe
1744	powershell.exe
1744	powershell.exe
4236	UnderWars.exe
4236	UnderWars.exe
2000	powershell.exe
1744	powershell.exe
2504	powershell.exe
2056	UnderWars.exe
2056	UnderWars.exe
2056	UnderWars.exe
2056	UnderWars.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeIncreaseQuotaPrivilege	2504	powershell.exe
Token: SeSecurityPrivilege	2504	powershell.exe
Token: SeTakeOwnershipPrivilege	2504	powershell.exe
Token: SeLoadDriverPrivilege	2504	powershell.exe
Token: SeSystemProfilePrivilege	2504	powershell.exe
Token: SeSystemtimePrivilege	2504	powershell.exe
Token: SeProfSingleProcessPrivilege	2504	powershell.exe
Token: SeIncBasePriorityPrivilege	2504	powershell.exe
Token: SeCreatePagefilePrivilege	2504	powershell.exe
Token: SeBackupPrivilege	2504	powershell.exe
Token: SeRestorePrivilege	2504	powershell.exe
Token: SeShutdownPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeSystemEnvironmentPrivilege	2504	powershell.exe
Token: SeRemoteShutdownPrivilege	2504	powershell.exe
Token: SeUndockPrivilege	2504	powershell.exe
Token: SeManageVolumePrivilege	2504	powershell.exe
Token: 33	2504	powershell.exe
Token: 34	2504	powershell.exe
Token: 35	2504	powershell.exe
Token: 36	2504	powershell.exe
Token: SeIncreaseQuotaPrivilege	2000	powershell.exe
Token: SeSecurityPrivilege	2000	powershell.exe
Token: SeTakeOwnershipPrivilege	2000	powershell.exe
Token: SeLoadDriverPrivilege	2000	powershell.exe
Token: SeSystemProfilePrivilege	2000	powershell.exe
Token: SeSystemtimePrivilege	2000	powershell.exe
Token: SeProfSingleProcessPrivilege	2000	powershell.exe
Token: SeIncBasePriorityPrivilege	2000	powershell.exe
Token: SeCreatePagefilePrivilege	2000	powershell.exe
Token: SeBackupPrivilege	2000	powershell.exe
Token: SeRestorePrivilege	2000	powershell.exe
Token: SeShutdownPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeSystemEnvironmentPrivilege	2000	powershell.exe
Token: SeRemoteShutdownPrivilege	2000	powershell.exe
Token: SeUndockPrivilege	2000	powershell.exe
Token: SeManageVolumePrivilege	2000	powershell.exe
Token: 33	2000	powershell.exe
Token: 34	2000	powershell.exe
Token: 35	2000	powershell.exe
Token: 36	2000	powershell.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeDebugPrivilege	3588	tasklist.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe
Token: SeCreatePagefilePrivilege	1460	UnderWars.exe
Token: SeShutdownPrivilege	1460	UnderWars.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 4508	1460	UnderWars.exe	92
PID 1460 wrote to memory of 4508	1460	UnderWars.exe	92
PID 1460 wrote to memory of 4508	1460	UnderWars.exe	92
PID 4508 wrote to memory of 3012	4508	cmd.exe	110
PID 4508 wrote to memory of 3012	4508	cmd.exe	110
PID 4508 wrote to memory of 3012	4508	cmd.exe	110
PID 1460 wrote to memory of 2540	1460	UnderWars.exe	95
PID 1460 wrote to memory of 2540	1460	UnderWars.exe	95
PID 1460 wrote to memory of 2540	1460	UnderWars.exe	95
PID 1460 wrote to memory of 2504	1460	UnderWars.exe	97
PID 1460 wrote to memory of 2504	1460	UnderWars.exe	97
PID 1460 wrote to memory of 2504	1460	UnderWars.exe	97
PID 1460 wrote to memory of 2000	1460	UnderWars.exe	99
PID 1460 wrote to memory of 2000	1460	UnderWars.exe	99
PID 1460 wrote to memory of 2000	1460	UnderWars.exe	99
PID 1460 wrote to memory of 1744	1460	UnderWars.exe	100
PID 1460 wrote to memory of 1744	1460	UnderWars.exe	100
PID 1460 wrote to memory of 1744	1460	UnderWars.exe	100
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 2224	1460	UnderWars.exe	103
PID 1460 wrote to memory of 4236	1460	UnderWars.exe	104
PID 1460 wrote to memory of 4236	1460	UnderWars.exe	104
PID 1460 wrote to memory of 4236	1460	UnderWars.exe	104
PID 1460 wrote to memory of 4656	1460	UnderWars.exe	106
PID 1460 wrote to memory of 4656	1460	UnderWars.exe	106
PID 1460 wrote to memory of 4656	1460	UnderWars.exe	106
PID 4656 wrote to memory of 4628	4656	cmd.exe	108
PID 4656 wrote to memory of 4628	4656	cmd.exe	108
PID 4656 wrote to memory of 4628	4656	cmd.exe	108
PID 1460 wrote to memory of 1664	1460	UnderWars.exe	109
PID 1460 wrote to memory of 1664	1460	UnderWars.exe	109
PID 1460 wrote to memory of 1664	1460	UnderWars.exe	109
PID 1664 wrote to memory of 836	1664	cmd.exe	111
PID 1664 wrote to memory of 836	1664	cmd.exe	111

C:\Users\Admin\AppData\Local\Temp\UnderWars.exe
"C:\Users\Admin\AppData\Local\Temp\UnderWars.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\SysWOW64\chcp.com
    chcp
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:2540
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\UnderWars.exe
  "C:\Users\Admin\AppData\Local\Temp\UnderWars.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\UnderWars" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 --field-trial-handle=1912,i,13212384306104683398,10874016076939783497,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\UnderWars.exe
  "C:\Users\Admin\AppData\Local\Temp\UnderWars.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\UnderWars" --mojo-platform-channel-handle=2144 --field-trial-handle=1912,i,13212384306104683398,10874016076939783497,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . *.sqlite"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\where.exe
    where /r . *.sqlite
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "where /r . cookies.sqlite"
  2⤵
  PID:4116
- - C:\Windows\SysWOW64\where.exe
    where /r . cookies.sqlite
    3⤵
    PID:1588
- C:\Users\Admin\AppData\Local\Temp\UnderWars.exe
  "C:\Users\Admin\AppData\Local\Temp\UnderWars.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\UnderWars" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAABgAAAAAAAAAGAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1912,i,13212384306104683398,10874016076939783497,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
4279e6347a341c54e5e9bcc5ccf0b55e

SHA1
54e8b5376f11426145c70cb07a47da6c7c536bfe

SHA256
1d6fb68d1b317f18ae1f506adebddc735260a7d79fc25cbe5208a66baf9611fb

SHA512
ebfa6e9a7ae45305d929c0ec75fcf2d368fa786427e533859b537b4c1a3d609f9eff313977e6c3a33acf4d06906149fdc8f3bf684d36be9c5f669867e6b722c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
807a22d0687babe74083c7e431a5e256

SHA1
4ebd2d74a624b1dfb25adf5f4d8686e422e701b5

SHA256
83fc1c37442461e061b2e5a591b5adf3b2e5136c0e83aea42f159a586e893e85

SHA512
e849a1e862d5fc29383ce7b075b46aab2da4fd439935d744e3d5291bd983f5db01b003370a059a34f9e3af7f32e6cd3b16f4985bc8fdf7e72c4bc3ad7d04ae17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
b60fe6ecf615d51011bbe09adda1a67a

SHA1
2640005a00d3fb92ea7b92ad8c9008bd91c215e4

SHA256
49b7ea359241e032a494717c9a054346443ba3b050824a02cf661da40e218597

SHA512
2469e937c3935bf144daf7902f61fb354ecbc817533a76d1041ffead64146e7f1693fde9ed370b3f507934c6cc6256aff3491feffc8db007b3e3000ac380d43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ca06a62-c338-4d3f-a785-9f790b8be335.tmp.node

Filesize
95KB

MD5
2b2800c7204d856956b9598e8b6f4a3a

SHA1
116ad5ff427bf965eebd1e7cb93ee65bd934b016

SHA256
d2cd4d2eac0e4d17ebabece25721d647c7ead96d249c63fdb9d0c25ad209e1dc

SHA512
bb1f6fe04f8e6ee08f2b45840e02578cc61f2bcfe13dd94ccbaff2cf08a5b15120e7fb9a05e86ddd0ddd2fa587440018a0ee1881a785763bf1e44b5d866d5789

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w2qscv3j.4zh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e551e934-378b-44b3-b402-8458914ba2fa.tmp.node

Filesize
1.5MB

MD5
ea6875ee29d7254a7eaadb7087da7716

SHA1
f6aab0020f513cbe88a9b57a5bc98c2932f74f85

SHA256
50a6ca59dd58260007e828154a3b001e0d132e16cbb485bd3b2dffdecf8c74f1

SHA512
a08bd4d3824e34cc1b80456b3d753981917afa52f1dda11740e811f1726eee7d52c100a060ed882a91f71131458fd56355ed7d3ca27ce325a01a9fa473c0d559

Download Submit
memory/1744-23-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/1744-19-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1744-14-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download
memory/1744-94-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download
memory/1744-57-0x0000000007A70000-0x00000000080EA000-memory.dmp

Filesize
6.5MB

Download
memory/1744-88-0x0000000007830000-0x00000000078C2000-memory.dmp

Filesize
584KB

Download
memory/1744-22-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1744-16-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/1744-77-0x00000000086A0000-0x0000000008C44000-memory.dmp

Filesize
5.6MB

Download
memory/1744-13-0x00000000053D0000-0x00000000059F8000-memory.dmp

Filesize
6.2MB

Download
memory/1744-43-0x0000000005C80000-0x0000000005FD4000-memory.dmp

Filesize
3.3MB

Download
memory/1744-55-0x0000000007370000-0x00000000073E6000-memory.dmp

Filesize
472KB

Download
memory/1744-54-0x0000000006820000-0x0000000006864000-memory.dmp

Filesize
272KB

Download
memory/2000-92-0x0000000007AE0000-0x0000000007B0A000-memory.dmp

Filesize
168KB

Download
memory/2000-96-0x000000006D970000-0x000000006DCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-11-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download
memory/2000-10-0x0000000002DE0000-0x0000000002E16000-memory.dmp

Filesize
216KB

Download
memory/2000-98-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2000-65-0x000000006D220000-0x000000006D26C000-memory.dmp

Filesize
304KB

Download
memory/2000-105-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download
memory/2000-20-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/2000-93-0x0000000007B10000-0x0000000007B34000-memory.dmp

Filesize
144KB

Download
memory/2000-63-0x000000007F940000-0x000000007F950000-memory.dmp

Filesize
64KB

Download
memory/2056-122-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-124-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-134-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-131-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-132-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-129-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-130-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-128-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-133-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2056-123-0x000000000E850000-0x000000000E851000-memory.dmp

Filesize
4KB

Download
memory/2504-21-0x0000000005890000-0x00000000058B2000-memory.dmp

Filesize
136KB

Download
memory/2504-64-0x000000006D220000-0x000000006D26C000-memory.dmp

Filesize
304KB

Download
memory/2504-75-0x0000000007DE0000-0x0000000007DFE000-memory.dmp

Filesize
120KB

Download
memory/2504-56-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/2504-95-0x000000006D970000-0x000000006DCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-107-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download
memory/2504-89-0x0000000007F00000-0x0000000007F0A000-memory.dmp

Filesize
40KB

Download
memory/2504-53-0x00000000068E0000-0x000000000692C000-memory.dmp

Filesize
304KB

Download
memory/2504-99-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2504-62-0x000000007F120000-0x000000007F130000-memory.dmp

Filesize
64KB

Download
memory/2504-17-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2504-18-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2504-61-0x0000000007DA0000-0x0000000007DD2000-memory.dmp

Filesize
200KB

Download
memory/2504-87-0x0000000007E00000-0x0000000007EA3000-memory.dmp

Filesize
652KB

Download
memory/2504-76-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2504-52-0x0000000006850000-0x000000000686E000-memory.dmp

Filesize
120KB

Download
memory/2504-15-0x0000000073910000-0x00000000740C0000-memory.dmp

Filesize
7.7MB

Download