85e46e5e1a9b0117c0f1992ae253eac8fb69f854d35e7236583da529985204fc

Analysis

max time kernel
453s
max time network
456s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07/06/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConsoleApplication2.exe
Size

4.5MB
MD5

ba6ea0efc527f2dcd8c13606a5e24e9a
SHA1

43a92bb3a589acf1a8480c7f0aeb14c7def349bd
SHA256

85e46e5e1a9b0117c0f1992ae253eac8fb69f854d35e7236583da529985204fc
SHA512

f4e7e4828bae57b8fac2e61ba254806408ef1aa2f35ac0da2b8b9fa5de25e2eaa537344138460f78b0271b82904a3b2e22f3ba078c9d8c3fe46c4f490c0462b5
SSDEEP

49152:mIvjeYIhNma2OwgHK0FqFREXY3Dl11tB+ugTizmRK6HeLAiIM1QfJPgDEWzIOwLy:mIvjeYgGoqF5DlzqTMTDEa

Score

7^/10

discovery execution persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\ConsoleApplication2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ConsoleApplication2"	ConsoleApplication2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
15	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ipinfo.io
1	ipinfo.io
2	ipinfo.io
3	ipinfo.io
5	ipinfo.io

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3096	powershell.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4208	WMIC.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2956	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1492	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3476	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3876	ConsoleApplication2.exe
3876	ConsoleApplication2.exe
4404	powershell.exe
4404	powershell.exe
2540	powershell.exe
2540	powershell.exe
3096	powershell.exe
3096	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe
Token: SeDebugPrivilege	4680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4680	WMIC.exe
Token: SeRemoteShutdownPrivilege	4680	WMIC.exe
Token: SeUndockPrivilege	4680	WMIC.exe
Token: SeManageVolumePrivilege	4680	WMIC.exe
Token: 33	4680	WMIC.exe
Token: 34	4680	WMIC.exe
Token: 35	4680	WMIC.exe
Token: 36	4680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe
Token: SeDebugPrivilege	4680	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4680	WMIC.exe
Token: SeRemoteShutdownPrivilege	4680	WMIC.exe
Token: SeUndockPrivilege	4680	WMIC.exe
Token: SeManageVolumePrivilege	4680	WMIC.exe
Token: 33	4680	WMIC.exe
Token: 34	4680	WMIC.exe
Token: 35	4680	WMIC.exe
Token: 36	4680	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe
Token: SeSecurityPrivilege	2844	WMIC.exe
Token: SeTakeOwnershipPrivilege	2844	WMIC.exe
Token: SeLoadDriverPrivilege	2844	WMIC.exe
Token: SeSystemProfilePrivilege	2844	WMIC.exe
Token: SeSystemtimePrivilege	2844	WMIC.exe
Token: SeProfSingleProcessPrivilege	2844	WMIC.exe
Token: SeIncBasePriorityPrivilege	2844	WMIC.exe
Token: SeCreatePagefilePrivilege	2844	WMIC.exe
Token: SeBackupPrivilege	2844	WMIC.exe
Token: SeRestorePrivilege	2844	WMIC.exe
Token: SeShutdownPrivilege	2844	WMIC.exe
Token: SeDebugPrivilege	2844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2844	WMIC.exe
Token: SeRemoteShutdownPrivilege	2844	WMIC.exe
Token: SeUndockPrivilege	2844	WMIC.exe
Token: SeManageVolumePrivilege	2844	WMIC.exe
Token: 33	2844	WMIC.exe
Token: 34	2844	WMIC.exe
Token: 35	2844	WMIC.exe
Token: 36	2844	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2844	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 2848	3876	ConsoleApplication2.exe	78
PID 3876 wrote to memory of 2848	3876	ConsoleApplication2.exe	78
PID 3876 wrote to memory of 2848	3876	ConsoleApplication2.exe	78
PID 2848 wrote to memory of 3476	2848	cmd.exe	79
PID 2848 wrote to memory of 3476	2848	cmd.exe	79
PID 2848 wrote to memory of 3476	2848	cmd.exe	79
PID 3876 wrote to memory of 4880	3876	ConsoleApplication2.exe	80
PID 3876 wrote to memory of 4880	3876	ConsoleApplication2.exe	80
PID 3876 wrote to memory of 4880	3876	ConsoleApplication2.exe	80
PID 4880 wrote to memory of 4680	4880	cmd.exe	81
PID 4880 wrote to memory of 4680	4880	cmd.exe	81
PID 4880 wrote to memory of 4680	4880	cmd.exe	81
PID 3876 wrote to memory of 2716	3876	ConsoleApplication2.exe	83
PID 3876 wrote to memory of 2716	3876	ConsoleApplication2.exe	83
PID 3876 wrote to memory of 2716	3876	ConsoleApplication2.exe	83
PID 2716 wrote to memory of 2844	2716	cmd.exe	84
PID 2716 wrote to memory of 2844	2716	cmd.exe	84
PID 2716 wrote to memory of 2844	2716	cmd.exe	84
PID 3876 wrote to memory of 1000	3876	ConsoleApplication2.exe	85
PID 3876 wrote to memory of 1000	3876	ConsoleApplication2.exe	85
PID 3876 wrote to memory of 1000	3876	ConsoleApplication2.exe	85
PID 1000 wrote to memory of 4404	1000	cmd.exe	86
PID 1000 wrote to memory of 4404	1000	cmd.exe	86
PID 1000 wrote to memory of 4404	1000	cmd.exe	86
PID 3876 wrote to memory of 3840	3876	ConsoleApplication2.exe	87
PID 3876 wrote to memory of 3840	3876	ConsoleApplication2.exe	87
PID 3876 wrote to memory of 3840	3876	ConsoleApplication2.exe	87
PID 3840 wrote to memory of 4208	3840	cmd.exe	88
PID 3840 wrote to memory of 4208	3840	cmd.exe	88
PID 3840 wrote to memory of 4208	3840	cmd.exe	88
PID 3876 wrote to memory of 3744	3876	ConsoleApplication2.exe	89
PID 3876 wrote to memory of 3744	3876	ConsoleApplication2.exe	89
PID 3876 wrote to memory of 3744	3876	ConsoleApplication2.exe	89
PID 3744 wrote to memory of 3924	3744	cmd.exe	90
PID 3744 wrote to memory of 3924	3744	cmd.exe	90
PID 3744 wrote to memory of 3924	3744	cmd.exe	90
PID 3876 wrote to memory of 2288	3876	ConsoleApplication2.exe	91
PID 3876 wrote to memory of 2288	3876	ConsoleApplication2.exe	91
PID 3876 wrote to memory of 2288	3876	ConsoleApplication2.exe	91
PID 2288 wrote to memory of 1540	2288	cmd.exe	92
PID 2288 wrote to memory of 1540	2288	cmd.exe	92
PID 2288 wrote to memory of 1540	2288	cmd.exe	92
PID 3876 wrote to memory of 1896	3876	ConsoleApplication2.exe	93
PID 3876 wrote to memory of 1896	3876	ConsoleApplication2.exe	93
PID 3876 wrote to memory of 1896	3876	ConsoleApplication2.exe	93
PID 1896 wrote to memory of 3480	1896	cmd.exe	94
PID 1896 wrote to memory of 3480	1896	cmd.exe	94
PID 1896 wrote to memory of 3480	1896	cmd.exe	94
PID 3876 wrote to memory of 1968	3876	ConsoleApplication2.exe	95
PID 3876 wrote to memory of 1968	3876	ConsoleApplication2.exe	95
PID 3876 wrote to memory of 1968	3876	ConsoleApplication2.exe	95
PID 1968 wrote to memory of 2540	1968	cmd.exe	96
PID 1968 wrote to memory of 2540	1968	cmd.exe	96
PID 1968 wrote to memory of 2540	1968	cmd.exe	96
PID 3876 wrote to memory of 3100	3876	ConsoleApplication2.exe	97
PID 3876 wrote to memory of 3100	3876	ConsoleApplication2.exe	97
PID 3876 wrote to memory of 3100	3876	ConsoleApplication2.exe	97
PID 3100 wrote to memory of 2956	3100	cmd.exe	98
PID 3100 wrote to memory of 2956	3100	cmd.exe	98
PID 3100 wrote to memory of 2956	3100	cmd.exe	98
PID 3876 wrote to memory of 4300	3876	ConsoleApplication2.exe	99
PID 3876 wrote to memory of 4300	3876	ConsoleApplication2.exe	99
PID 3876 wrote to memory of 4300	3876	ConsoleApplication2.exe	99
PID 4300 wrote to memory of 1492	4300	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication2.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 1 1.1.1.1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 1.1.1.1
    3⤵
    - Runs ping.exe
    PID:3476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3840
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic cpu get name
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path win32_VideoController get currentrefreshrate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get currentrefreshrate
    3⤵
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell Get-Content (Get-PSReadlineOption).HistorySavePath
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Content (Get-PSReadlineOption).HistorySavePath
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c tasklist
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c systeminfo
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:1492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh wlan show profile
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    PID:3724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /value
    3⤵
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
  2⤵
  PID:3556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic csproduct get uuid
  2⤵
  PID:1880
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:2348
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic os get Caption /value
  2⤵
  PID:5084
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic os get Caption /value
    3⤵
    PID:460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x000000000000049C
1⤵
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
e080d58e6387c9fd87434a502e1a902e

SHA1
ae76ce6a2a39d79226c343cfe4745d48c7c1a91a

SHA256
6fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425

SHA512
6c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3c30947c214b84bf533db3b5a822560f

SHA1
bb8c1d3f2877af5fb0a9afa7339b35d08b84011a

SHA256
e150d84c25c3f4c05f2b3b602dfdfd2759b751972852a3949f2bfada0ee9e071

SHA512
883c25a06881965a39b79d8d743140298d5c32ac3cec0a734b0786877560daee5dcb4b23ec31e2d681f7f76d376a4c55ea681286a49fb7532b96555765ac8db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ee4e1341867cb2a002634cd7fe5a2694

SHA1
5cf5210faf30b6e71fad8f06b8dea2f771e92d5e

SHA256
f094bae226b6fe6e6d7babee50d94beb5b3c869a848c2ca18f4a6dc77e27da85

SHA512
00a63c72ed22815fdc827d9da491cd75a60363d121241418b1cfa87ef9b3cb7dac9679f440d781c94b9cb8d5f6f0940b2305007351c9315f17e5a730cd494f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13oh1btn.xzt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsjZGTwdjKP73LZt\Nagogy-Grabber (Admin).zip

Filesize
4.8MB

MD5
277e820572178a5c35d14bdda7bd7a70

SHA1
964d3f103e58768a32d0b5301fc88b8632e9bc1d

SHA256
01c783a1deb568c6eead3ae96ad2b4552098d6cbd8380231026317145dec0a69

SHA512
82be39cb9f0e35ecedc38f06314d47c1051264e03d42f6a3d33093043ba22d7a833495b556cd8e2aa88613bc88a9899f3d941ddf269f7d5791a3421cb9843d95

Download Submit
memory/2540-35-0x0000000007190000-0x00000000071D6000-memory.dmp

Filesize
280KB

Download
memory/2540-32-0x0000000005B00000-0x0000000005E57000-memory.dmp

Filesize
3.3MB

Download
memory/2540-34-0x0000000006080000-0x00000000060CC000-memory.dmp

Filesize
304KB

Download
memory/3096-58-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/3096-48-0x0000000005AD0000-0x0000000005E27000-memory.dmp

Filesize
3.3MB

Download
memory/3096-59-0x00000000084E0000-0x0000000008B5A000-memory.dmp

Filesize
6.5MB

Download
memory/3876-82-0x0000000074A40000-0x0000000074A7C000-memory.dmp

Filesize
240KB

Download
memory/3876-170-0x0000000074A40000-0x0000000074A7C000-memory.dmp

Filesize
240KB

Download
memory/4404-13-0x0000000005F90000-0x00000000062E7000-memory.dmp

Filesize
3.3MB

Download
memory/4404-19-0x0000000007C40000-0x00000000081E6000-memory.dmp

Filesize
5.6MB

Download
memory/4404-18-0x0000000006990000-0x00000000069B2000-memory.dmp

Filesize
136KB

Download
memory/4404-16-0x00000000073F0000-0x0000000007486000-memory.dmp

Filesize
600KB

Download
memory/4404-17-0x0000000006940000-0x000000000695A000-memory.dmp

Filesize
104KB

Download
memory/4404-15-0x0000000006470000-0x00000000064BC000-memory.dmp

Filesize
304KB

Download
memory/4404-14-0x0000000006420000-0x000000000643E000-memory.dmp

Filesize
120KB

Download
memory/4404-0-0x0000000002C70000-0x0000000002CA6000-memory.dmp

Filesize
216KB

Download
memory/4404-4-0x0000000005F20000-0x0000000005F86000-memory.dmp

Filesize
408KB

Download
memory/4404-3-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/4404-2-0x0000000005CE0000-0x0000000005D02000-memory.dmp

Filesize
136KB

Download
memory/4404-1-0x0000000005670000-0x0000000005C9A000-memory.dmp

Filesize
6.2MB

Download