63a7076be80f5bc6e264aac9eceba117afa2163f22b07b140de7c5250d5663e0

Analysis

max time kernel
31s
max time network
35s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-03-2023 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SasoreiSetup.exe
Size

33.5MB
MD5

cdd553c82b80cdbec4926b8688f18614
SHA1

9ea1399ea4fb9b927d4904cf80dcb8b732b9e922
SHA256

88453d7462877895dbebc6964ebf18ff6070ef826f04ca82ffa1529099a6cb49
SHA512

75ded2f9ef116721b50ca775d4f9f0c162f1d7fcfafec1ebeaff08c5e82c43ad4eb9087c42f3c5680d071164e74842adcbe67c75c9796ee68340304649bc7730
SSDEEP

393216:/QgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgf96l+ZArYsFRlGoS:/3on1HvSzxAMNfFZArYsHVC

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4020	powershell.exe
4020	powershell.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
4020	powershell.exe
1616	powershell.exe
1616	powershell.exe
1616	powershell.exe
4296	powershell.exe
4296	powershell.exe
4296	powershell.exe
3144	powershell.exe
3632	powershell.exe
2308	powershell.exe
3144	powershell.exe
3632	powershell.exe
2308	powershell.exe
3144	powershell.exe
3632	powershell.exe
2308	powershell.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeIncreaseQuotaPrivilege	4020	powershell.exe
Token: SeSecurityPrivilege	4020	powershell.exe
Token: SeTakeOwnershipPrivilege	4020	powershell.exe
Token: SeLoadDriverPrivilege	4020	powershell.exe
Token: SeSystemProfilePrivilege	4020	powershell.exe
Token: SeSystemtimePrivilege	4020	powershell.exe
Token: SeProfSingleProcessPrivilege	4020	powershell.exe
Token: SeIncBasePriorityPrivilege	4020	powershell.exe
Token: SeCreatePagefilePrivilege	4020	powershell.exe
Token: SeBackupPrivilege	4020	powershell.exe
Token: SeRestorePrivilege	4020	powershell.exe
Token: SeShutdownPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeSystemEnvironmentPrivilege	4020	powershell.exe
Token: SeRemoteShutdownPrivilege	4020	powershell.exe
Token: SeUndockPrivilege	4020	powershell.exe
Token: SeManageVolumePrivilege	4020	powershell.exe
Token: 33	4020	powershell.exe
Token: 34	4020	powershell.exe
Token: 35	4020	powershell.exe
Token: 36	4020	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeIncreaseQuotaPrivilege	1616	powershell.exe
Token: SeSecurityPrivilege	1616	powershell.exe
Token: SeTakeOwnershipPrivilege	1616	powershell.exe
Token: SeLoadDriverPrivilege	1616	powershell.exe
Token: SeSystemProfilePrivilege	1616	powershell.exe
Token: SeSystemtimePrivilege	1616	powershell.exe
Token: SeProfSingleProcessPrivilege	1616	powershell.exe
Token: SeIncBasePriorityPrivilege	1616	powershell.exe
Token: SeCreatePagefilePrivilege	1616	powershell.exe
Token: SeBackupPrivilege	1616	powershell.exe
Token: SeRestorePrivilege	1616	powershell.exe
Token: SeShutdownPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeSystemEnvironmentPrivilege	1616	powershell.exe
Token: SeRemoteShutdownPrivilege	1616	powershell.exe
Token: SeUndockPrivilege	1616	powershell.exe
Token: SeManageVolumePrivilege	1616	powershell.exe
Token: 33	1616	powershell.exe
Token: 34	1616	powershell.exe
Token: 35	1616	powershell.exe
Token: 36	1616	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeIncreaseQuotaPrivilege	4296	powershell.exe
Token: SeSecurityPrivilege	4296	powershell.exe
Token: SeTakeOwnershipPrivilege	4296	powershell.exe
Token: SeLoadDriverPrivilege	4296	powershell.exe
Token: SeSystemProfilePrivilege	4296	powershell.exe
Token: SeSystemtimePrivilege	4296	powershell.exe
Token: SeProfSingleProcessPrivilege	4296	powershell.exe
Token: SeIncBasePriorityPrivilege	4296	powershell.exe
Token: SeCreatePagefilePrivilege	4296	powershell.exe
Token: SeBackupPrivilege	4296	powershell.exe
Token: SeRestorePrivilege	4296	powershell.exe
Token: SeShutdownPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeSystemEnvironmentPrivilege	4296	powershell.exe
Token: SeRemoteShutdownPrivilege	4296	powershell.exe
Token: SeUndockPrivilege	4296	powershell.exe
Token: SeManageVolumePrivilege	4296	powershell.exe
Token: 33	4296	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3508	2456	SasoreiSetup.exe	67
PID 2456 wrote to memory of 3508	2456	SasoreiSetup.exe	67
PID 3508 wrote to memory of 5096	3508	cmd.exe	69
PID 3508 wrote to memory of 5096	3508	cmd.exe	69
PID 2456 wrote to memory of 3952	2456	SasoreiSetup.exe	70
PID 2456 wrote to memory of 3952	2456	SasoreiSetup.exe	70
PID 2456 wrote to memory of 4020	2456	SasoreiSetup.exe	71
PID 2456 wrote to memory of 4020	2456	SasoreiSetup.exe	71
PID 3952 wrote to memory of 436	3952	powershell.exe	73
PID 3952 wrote to memory of 436	3952	powershell.exe	73
PID 436 wrote to memory of 764	436	csc.exe	74
PID 436 wrote to memory of 764	436	csc.exe	74
PID 2456 wrote to memory of 1616	2456	SasoreiSetup.exe	76
PID 2456 wrote to memory of 1616	2456	SasoreiSetup.exe	76
PID 2456 wrote to memory of 4296	2456	SasoreiSetup.exe	79
PID 2456 wrote to memory of 4296	2456	SasoreiSetup.exe	79
PID 2456 wrote to memory of 4016	2456	SasoreiSetup.exe	81
PID 2456 wrote to memory of 4016	2456	SasoreiSetup.exe	81
PID 2456 wrote to memory of 3632	2456	SasoreiSetup.exe	83
PID 2456 wrote to memory of 3632	2456	SasoreiSetup.exe	83
PID 2456 wrote to memory of 3144	2456	SasoreiSetup.exe	84
PID 2456 wrote to memory of 3144	2456	SasoreiSetup.exe	84
PID 2456 wrote to memory of 2308	2456	SasoreiSetup.exe	85
PID 2456 wrote to memory of 2308	2456	SasoreiSetup.exe	85
PID 2456 wrote to memory of 3540	2456	SasoreiSetup.exe	89
PID 2456 wrote to memory of 3540	2456	SasoreiSetup.exe	89
PID 3540 wrote to memory of 3472	3540	cmd.exe	91
PID 3540 wrote to memory of 3472	3540	cmd.exe	91
PID 2456 wrote to memory of 4704	2456	SasoreiSetup.exe	92
PID 2456 wrote to memory of 4704	2456	SasoreiSetup.exe	92
PID 2456 wrote to memory of 2016	2456	SasoreiSetup.exe	94
PID 2456 wrote to memory of 2016	2456	SasoreiSetup.exe	94
PID 2016 wrote to memory of 3968	2016	cmd.exe	96
PID 2016 wrote to memory of 3968	2016	cmd.exe	96
PID 2456 wrote to memory of 1012	2456	SasoreiSetup.exe	97
PID 2456 wrote to memory of 1012	2456	SasoreiSetup.exe	97

C:\Users\Admin\AppData\Local\Temp\SasoreiSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SasoreiSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:5096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c " Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\11dzcrv5\11dzcrv5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB904.tmp" "c:\Users\Admin\AppData\Local\Temp\11dzcrv5\CSC1157224DCEF489B9EFE76B76DDD32C.TMP"
      4⤵
      PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:4016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:3472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" list vms --long"
  2⤵
  PID:1012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
42d4b1d78e6e092af15c7aef34e5cf45

SHA1
6cf9d0e674430680f67260194d3185667a2bb77b

SHA256
c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0

SHA512
d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3f7a72b34363d802ddcda042738fb4f7

SHA1
ecff695aa62d2b661c755fa7d266972a6469d105

SHA256
5aed67f943c8c721aca87b4fb31dd5713f6d79f1fe05849a70bd949366c0b5a7

SHA512
84978a75e2e0119070846d536287bf3c14c51c6910caae7930dcb0c05f49de2defbd52eafce4768fe6a8dff12db7c96ebcca4d25b13b053c4847a54fd641c244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
619897a591c1f7f57ee9e3310074903f

SHA1
9ebf6b4b04c3e82bf3b646d7296e8ca8b1296c0b

SHA256
14441d88b10cdf1623afc7b576f68688076a8bbb4462ae0a1e6da649fdb433d2

SHA512
fa619b3d2813e2a2e162016139de159ab4281876ab83e86a376ffe4649402d6d85e344466c8837fef575171dab16be32201cef4ab59eb8930b3f2a1b1566be56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
619897a591c1f7f57ee9e3310074903f

SHA1
9ebf6b4b04c3e82bf3b646d7296e8ca8b1296c0b

SHA256
14441d88b10cdf1623afc7b576f68688076a8bbb4462ae0a1e6da649fdb433d2

SHA512
fa619b3d2813e2a2e162016139de159ab4281876ab83e86a376ffe4649402d6d85e344466c8837fef575171dab16be32201cef4ab59eb8930b3f2a1b1566be56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
c373cdb8236bb363319af570bd628dfc

SHA1
4f756c7d4a6f6e8494bd884bb9e00646e84e119b

SHA256
68d7a477b2bc5a4bf0f3894860999fa442a5b8653579f8173391dcc43dcbaf47

SHA512
cf8b041f6bfa9608191750a577bd86573656a017af61882db73f3e1f639411855038e3b761965cf04b26a0c0bbec1b6320482e787b7d667e0450c8ffb9ef1ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aea579c203455718308d8968499f9ce0

SHA1
4017ccafb5ce3d6e061c60ddf29b9492a3111aba

SHA256
63372c6df4f30818d2e73fccae67da5730807faeb518856c8dc227c1ad08a5c1

SHA512
b52c8538446e36e260f8a7a42b4bc4a00773a1af7e9c0ae40c85e183df1c7895a7e400f2146e2d28c19db57fef23c6c9d2e4a0ccaf2a08f7ae4f27da91c908e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
31cf1ce713129e993ae44f9976adc24b

SHA1
6e50953a0240676e56954f3a1127bd2ed5ca8cb0

SHA256
101bf908ac830f3b84179d6fdba2dec9a01e26f43b8511f322ce606594b2f2c4

SHA512
9ee117afb9629d33779fd22b25b92f51442fbc2cde751e0c60fa3d2380f59cf33eb146361fbade017f0eea824ee5394254ab762bfdfd625ce3329c4025aefcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\11dzcrv5\11dzcrv5.dll

Filesize
3KB

MD5
4750a299968dc38ba6e795cf353bc121

SHA1
f4b65cd8a0a4717f6155bc2b631b4e7e2efa8d24

SHA256
c660b2624bdf7d79607abcbd65b30ae2e399f5951b1b6587c98bb74eba4bd00c

SHA512
df252e8a780d3efa6399d60d5f6c422f42619855933676bbfb579cdf619a6573a94327465139be539e1e6aca3bb812c25f1a9499ee9a56e011dc55040630c1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB904.tmp

Filesize
1KB

MD5
60b49d2c945bb745c1407501ffd8971a

SHA1
b904879c34a1dda80697db09a0aa565574dd0c07

SHA256
5c43eb88322bf05de3fcc9e3099d8bd07f24ad39d408a17b4394de46ada8a43e

SHA512
0093d188d4716e13eb6f6674c1f845ca013935ad47e793e0f61323c330cfe91fec7bee52ae560b90a9a5223175a89e568c5f08ca4e130c524e47b345ed3f5584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtocy4r2.mjb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11dzcrv5\11dzcrv5.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11dzcrv5\11dzcrv5.cmdline

Filesize
369B

MD5
97c1e941620583b7f369e748d4969bea

SHA1
c15e9c0c43d3cae2347efaecc35df9583fe2a440

SHA256
2ee99ee69eebbaf2610c2c973c1047bbaabb921d2609facb91c775b89740a648

SHA512
dbc4d0442f4210610acd92d3579a66f443c37a9a032ed508d21f975145d2ebfb7bc8eb35971460d43b7f19392507c85ae19ff68b6cf7374f2b4089d15330bc85

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\11dzcrv5\CSC1157224DCEF489B9EFE76B76DDD32C.TMP

Filesize
652B

MD5
518a60a69b1703542c47cbe9d6a4a78a

SHA1
5eead99a22d981f0245f370247a8609bbe19a7bf

SHA256
1870868eaee5b0b830b91284cc0d4e0181eb5d5d524a8a59799cddb6b4ab723b

SHA512
ea84931a66b2469b64bff6ed951ab1eb08172063b2e4fc533e4910c2c8cf38494b1386e84a8922b8d232c2fb3489addd52f4890ba155d3d06b8e1812a7ffa522

Download Submit
memory/1616-444-0x000001ED753A0000-0x000001ED753B0000-memory.dmp

Filesize
64KB

Download
memory/1616-443-0x000001ED753A0000-0x000001ED753B0000-memory.dmp

Filesize
64KB

Download
memory/2308-959-0x0000018CB8A30000-0x0000018CB8A40000-memory.dmp

Filesize
64KB

Download
memory/2308-957-0x0000018CB8A30000-0x0000018CB8A40000-memory.dmp

Filesize
64KB

Download
memory/3144-1518-0x0000021EEB780000-0x0000021EEB790000-memory.dmp

Filesize
64KB

Download
memory/3144-1513-0x0000021EEB780000-0x0000021EEB790000-memory.dmp

Filesize
64KB

Download
memory/3144-1511-0x0000021EEB780000-0x0000021EEB790000-memory.dmp

Filesize
64KB

Download
memory/3144-961-0x0000021EEB780000-0x0000021EEB790000-memory.dmp

Filesize
64KB

Download
memory/3144-960-0x0000021EEB780000-0x0000021EEB790000-memory.dmp

Filesize
64KB

Download
memory/3632-963-0x000001C9ADD10000-0x000001C9ADD20000-memory.dmp

Filesize
64KB

Download
memory/3632-962-0x000001C9ADD10000-0x000001C9ADD20000-memory.dmp

Filesize
64KB

Download
memory/3632-1519-0x000001C9ADD10000-0x000001C9ADD20000-memory.dmp

Filesize
64KB

Download
memory/3632-1517-0x000001C9ADD10000-0x000001C9ADD20000-memory.dmp

Filesize
64KB

Download
memory/3632-1515-0x000001C9ADD10000-0x000001C9ADD20000-memory.dmp

Filesize
64KB

Download
memory/3952-142-0x00000279126E0000-0x00000279126F0000-memory.dmp

Filesize
64KB

Download
memory/3952-167-0x000002792CA50000-0x000002792CAC6000-memory.dmp

Filesize
472KB

Download
memory/3952-212-0x00000279126E0000-0x00000279126F0000-memory.dmp

Filesize
64KB

Download
memory/3952-214-0x000002792C890000-0x000002792C898000-memory.dmp

Filesize
32KB

Download
memory/4020-180-0x0000013043600000-0x000001304363C000-memory.dmp

Filesize
240KB

Download
memory/4020-382-0x0000013045CA0000-0x0000013045CCA000-memory.dmp

Filesize
168KB

Download
memory/4020-401-0x0000013045CA0000-0x0000013045CC2000-memory.dmp

Filesize
136KB

Download
memory/4020-131-0x000001302B580000-0x000001302B5A2000-memory.dmp

Filesize
136KB

Download
memory/4020-140-0x0000013043650000-0x0000013043660000-memory.dmp

Filesize
64KB

Download
memory/4020-138-0x0000013043650000-0x0000013043660000-memory.dmp

Filesize
64KB

Download
memory/4296-692-0x000002ACFDF50000-0x000002ACFDF60000-memory.dmp

Filesize
64KB

Download
memory/4296-694-0x000002ACFDF50000-0x000002ACFDF60000-memory.dmp

Filesize
64KB

Download
memory/4704-1552-0x000001DAEFC00000-0x000001DAEFC10000-memory.dmp

Filesize
64KB

Download
memory/4704-1553-0x000001DAEFC00000-0x000001DAEFC10000-memory.dmp

Filesize
64KB

Download