povertystealer | 8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0

Analysis

max time kernel
105s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 23:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe
Size

1.4MB
MD5

74c1c83c732cfec9911b8b392dbf89b8
SHA1

25ed13bd043b31ae55dac26010c48537ec733cce
SHA256

8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0
SHA512

820ce9e2e562912b663e2aa9b34125009da95c133be4313ea242b9cf492e1fd9f12a2de8b3efee9d8d487f752df6332c9336fccd90374d872ccceea0631ebf92
SSDEEP

24576:3Mjhfa5aaH+5vgpD650+RFo6kF/5SrkGB8PGqooMWiI05bmktUNudtJjdPrF:K/nog50+Ri6kokGB9qoC1ab7SNudXjdZ

Score

10^/10

povertystealer discovery execution stealer

Malware Config

Signatures

Detect Poverty Stealer Payload 8 IoCs

resource	yara_rule
behavioral2/memory/1592-117-0x0000000000BD0000-0x0000000000BDA000-memory.dmp	family_povertystealer
behavioral2/memory/1592-121-0x0000000000BD0000-0x0000000000BDA000-memory.dmp	family_povertystealer
behavioral2/memory/1592-123-0x0000000000BD0000-0x0000000000BDA000-memory.dmp	family_povertystealer
behavioral2/memory/1592-124-0x0000000000BD0000-0x0000000000BDA000-memory.dmp	family_povertystealer
behavioral2/memory/4220-152-0x0000000000A00000-0x0000000000A0A000-memory.dmp	family_povertystealer
behavioral2/memory/4220-156-0x0000000000A00000-0x0000000000A0A000-memory.dmp	family_povertystealer
behavioral2/memory/4220-158-0x0000000000A00000-0x0000000000A0A000-memory.dmp	family_povertystealer
behavioral2/memory/4220-159-0x0000000000A00000-0x0000000000A0A000-memory.dmp	family_povertystealer

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Povertystealer family
povertystealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp

Executes dropped EXE 2 IoCs

pid	Process
4908	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp

Loads dropped DLL 6 IoCs

pid	Process
4908	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
4908	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
1592	regsvr32.exe
4220	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
4900	powershell.exe
4832	powershell.exe
3576	powershell.exe
4832	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
1592	regsvr32.exe
1592	regsvr32.exe
4900	powershell.exe
4900	powershell.exe
4832	powershell.exe
4832	powershell.exe
1592	regsvr32.exe
1592	regsvr32.exe
1592	regsvr32.exe
4220	regsvr32.exe
4220	regsvr32.exe
3576	powershell.exe
3576	powershell.exe
4220	regsvr32.exe
4220	regsvr32.exe
4220	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	4900	powershell.exe
Token: SeSecurityPrivilege	4900	powershell.exe
Token: SeTakeOwnershipPrivilege	4900	powershell.exe
Token: SeLoadDriverPrivilege	4900	powershell.exe
Token: SeSystemProfilePrivilege	4900	powershell.exe
Token: SeSystemtimePrivilege	4900	powershell.exe
Token: SeProfSingleProcessPrivilege	4900	powershell.exe
Token: SeIncBasePriorityPrivilege	4900	powershell.exe
Token: SeCreatePagefilePrivilege	4900	powershell.exe
Token: SeBackupPrivilege	4900	powershell.exe
Token: SeRestorePrivilege	4900	powershell.exe
Token: SeShutdownPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeSystemEnvironmentPrivilege	4900	powershell.exe
Token: SeRemoteShutdownPrivilege	4900	powershell.exe
Token: SeUndockPrivilege	4900	powershell.exe
Token: SeManageVolumePrivilege	4900	powershell.exe
Token: 33	4900	powershell.exe
Token: 34	4900	powershell.exe
Token: 35	4900	powershell.exe
Token: 36	4900	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeIncreaseQuotaPrivilege	4832	powershell.exe
Token: SeSecurityPrivilege	4832	powershell.exe
Token: SeTakeOwnershipPrivilege	4832	powershell.exe
Token: SeLoadDriverPrivilege	4832	powershell.exe
Token: SeSystemProfilePrivilege	4832	powershell.exe
Token: SeSystemtimePrivilege	4832	powershell.exe
Token: SeProfSingleProcessPrivilege	4832	powershell.exe
Token: SeIncBasePriorityPrivilege	4832	powershell.exe
Token: SeCreatePagefilePrivilege	4832	powershell.exe
Token: SeBackupPrivilege	4832	powershell.exe
Token: SeRestorePrivilege	4832	powershell.exe
Token: SeShutdownPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeSystemEnvironmentPrivilege	4832	powershell.exe
Token: SeRemoteShutdownPrivilege	4832	powershell.exe
Token: SeUndockPrivilege	4832	powershell.exe
Token: SeManageVolumePrivilege	4832	powershell.exe
Token: 33	4832	powershell.exe
Token: 34	4832	powershell.exe
Token: 35	4832	powershell.exe
Token: 36	4832	powershell.exe
Token: SeIncreaseQuotaPrivilege	4832	powershell.exe
Token: SeSecurityPrivilege	4832	powershell.exe
Token: SeTakeOwnershipPrivilege	4832	powershell.exe
Token: SeLoadDriverPrivilege	4832	powershell.exe
Token: SeSystemProfilePrivilege	4832	powershell.exe
Token: SeSystemtimePrivilege	4832	powershell.exe
Token: SeProfSingleProcessPrivilege	4832	powershell.exe
Token: SeIncBasePriorityPrivilege	4832	powershell.exe
Token: SeCreatePagefilePrivilege	4832	powershell.exe
Token: SeBackupPrivilege	4832	powershell.exe
Token: SeRestorePrivilege	4832	powershell.exe
Token: SeShutdownPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeSystemEnvironmentPrivilege	4832	powershell.exe
Token: SeRemoteShutdownPrivilege	4832	powershell.exe
Token: SeUndockPrivilege	4832	powershell.exe
Token: SeManageVolumePrivilege	4832	powershell.exe
Token: 33	4832	powershell.exe
Token: 34	4832	powershell.exe
Token: 35	4832	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 4908	1164	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe	83
PID 1164 wrote to memory of 4908	1164	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe	83
PID 1164 wrote to memory of 4908	1164	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe	83
PID 4908 wrote to memory of 3868	4908	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp	84
PID 4908 wrote to memory of 3868	4908	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp	84
PID 4908 wrote to memory of 3868	4908	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp	84
PID 3868 wrote to memory of 4104	3868	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe	85
PID 3868 wrote to memory of 4104	3868	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe	85
PID 3868 wrote to memory of 4104	3868	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe	85
PID 4104 wrote to memory of 1592	4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp	86
PID 4104 wrote to memory of 1592	4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp	86
PID 4104 wrote to memory of 1592	4104	8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp	86
PID 1592 wrote to memory of 4900	1592	regsvr32.exe	87
PID 1592 wrote to memory of 4900	1592	regsvr32.exe	87
PID 1592 wrote to memory of 4900	1592	regsvr32.exe	87
PID 1592 wrote to memory of 4832	1592	regsvr32.exe	92
PID 1592 wrote to memory of 4832	1592	regsvr32.exe	92
PID 1592 wrote to memory of 4832	1592	regsvr32.exe	92
PID 2860 wrote to memory of 4220	2860	regsvr32.EXE	110
PID 2860 wrote to memory of 4220	2860	regsvr32.EXE	110
PID 2860 wrote to memory of 4220	2860	regsvr32.EXE	110
PID 4220 wrote to memory of 3576	4220	regsvr32.exe	111
PID 4220 wrote to memory of 3576	4220	regsvr32.exe	111
PID 4220 wrote to memory of 3576	4220	regsvr32.exe	111

C:\Users\Admin\AppData\Local\Temp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe
"C:\Users\Admin\AppData\Local\Temp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\is-PS0K6.tmp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PS0K6.tmp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp" /SL5="$70064,1081243,161792,C:\Users\Admin\AppData\Local\Temp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe
    "C:\Users\Admin\AppData\Local\Temp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\is-6K244.tmp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6K244.tmp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp" /SL5="$A006A,1081243,161792,C:\Users\Admin\AppData\Local\Temp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\\9ntdll_4.drv"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv' }) { exit 0 } else { exit 1 }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{08C78EB4-A612-49C4-E6DD-023F55B9E3E3}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv
1⤵
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:SYNC C:\Users\Admin\AppData\Roaming\9ntdll_4.drv' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
6fc4718a6f33b1e9e90d22c42dcca205

SHA1
d0b6bc54450cfd771014416925a2cf1d13112481

SHA256
0ffe634d0e727d6f366e779455f246d4e3041275931544954d67bda1e700d6e4

SHA512
208cbc2cbaf6e68e2512d6391cd3246ec8db19a35171672151e7a962c9fab5992d72ccdcabefa212ede4f8a31c3568bec91f95efb5eec300b2f559b3592f8399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
586d8282ca54b17146e6ed0b9a759bf5

SHA1
0672dcc1b8d20a1d0d402be5c914d71701c50d45

SHA256
49a4863e0ed81dc9ce371ea9e2e279a4f7669a4ff5a472ede526b5d9b3846d59

SHA512
f574c8a4795b569ac4f84af86cb73e3758fe58457ecbe402d1876af371a11eeb3d833721ffaa7d76a7be1f8d460b6a9d424cb3255442d7ce1a6b18c34109ba11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibdi4xmf.a30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-06BID.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PGTJ3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PS0K6.tmp\8041fe294422821a4ff85656ecf7d780ea761163b06b966e126290988f093ac0.tmp

Filesize
1.1MB

MD5
bcc236a3921e1388596a42b05686ff5e

SHA1
43bffbbac6a1bf5f1fa21e971e06e6f1d0af9263

SHA256
43a656bcd060e8a36502ca2deb878d56a99078f13d3e57dcd73a87128588c9e9

SHA512
e3baaf1a8f4eb0e1ab57a1fb35bc7ded476606b65fafb09835d34705d8c661819c3cfa0ecc43c5a0d0085fd570df581438de27944e054e12c09a6933bbf5ce04

Download Submit
C:\Users\Admin\AppData\Roaming\9ntdll_4.drv

Filesize
3.0MB

MD5
0cfacfa4f5044659a2928ec133ca6fb1

SHA1
d4ef7b298d5fc6e58a83cd994d9b739c82ff3188

SHA256
54d6ad606a151e075b2e854da88c876ace57c42d4c94ddf13acb2ccd8695bdce

SHA512
630bee59a1b1a8c461841e380364635f7c620a21102c1a347375602b827b3edaea3a7a23e6517b5a5124a02094c4a37f443b10728a92efae6e3817689078b63c

Download Submit
memory/1164-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1164-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1164-27-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1592-124-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/1592-125-0x0000000073E70000-0x0000000074136000-memory.dmp

Filesize
2.8MB

Download
memory/1592-123-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/1592-121-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/1592-117-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/1592-116-0x0000000073E70000-0x0000000074136000-memory.dmp

Filesize
2.8MB

Download
memory/3576-136-0x0000000005A60000-0x0000000005DB4000-memory.dmp

Filesize
3.3MB

Download
memory/3576-138-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/3576-139-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/3576-149-0x0000000007140000-0x00000000071E3000-memory.dmp

Filesize
652KB

Download
memory/3576-150-0x0000000007610000-0x0000000007621000-memory.dmp

Filesize
68KB

Download
memory/3868-54-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3868-21-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3868-25-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4104-33-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4104-50-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4220-160-0x0000000074FA0000-0x0000000075266000-memory.dmp

Filesize
2.8MB

Download
memory/4220-159-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/4220-158-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/4220-156-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/4220-152-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/4832-104-0x0000000070500000-0x000000007054C000-memory.dmp

Filesize
304KB

Download
memory/4832-102-0x00000000058C0000-0x0000000005C14000-memory.dmp

Filesize
3.3MB

Download
memory/4900-59-0x0000000005BF0000-0x0000000005C56000-memory.dmp

Filesize
408KB

Download
memory/4900-89-0x00000000077B0000-0x00000000077C1000-memory.dmp

Filesize
68KB

Download
memory/4900-69-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/4900-72-0x0000000007420000-0x0000000007452000-memory.dmp

Filesize
200KB

Download
memory/4900-58-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/4900-57-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/4900-56-0x00000000054C0000-0x0000000005AE8000-memory.dmp

Filesize
6.2MB

Download
memory/4900-55-0x0000000004CB0000-0x0000000004CE6000-memory.dmp

Filesize
216KB

Download
memory/4900-71-0x00000000062B0000-0x00000000062FC000-memory.dmp

Filesize
304KB

Download
memory/4900-70-0x0000000006260000-0x000000000627E000-memory.dmp

Filesize
120KB

Download
memory/4900-73-0x0000000070500000-0x000000007054C000-memory.dmp

Filesize
304KB

Download
memory/4900-88-0x0000000007840000-0x00000000078D6000-memory.dmp

Filesize
600KB

Download
memory/4900-87-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/4900-83-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/4900-86-0x00000000075B0000-0x00000000075CA000-memory.dmp

Filesize
104KB

Download
memory/4900-85-0x0000000007BF0000-0x000000000826A000-memory.dmp

Filesize
6.5MB

Download
memory/4900-84-0x0000000007460000-0x0000000007503000-memory.dmp

Filesize
652KB

Download
memory/4908-7-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4908-24-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download