sectoprat | 55108ea57f47939a336a8bed35d8be38509c3a88f120797e62ebdb2e025a49b8

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
Size

1.1MB
MD5

aedef5976cbed764e16089f0cd5b79e0
SHA1

a21cc8e454927fa878efb34491fdba1cd7ff90c7
SHA256

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86
SHA512

c3e0066946bb2934b682d1cc7293822e57b2a8451e64150053c4e8c2bee76f14a3d7e11b2b77145f60e3479df5d0f25453cb2f776ecf5c2a9263e33c105d4d63
SSDEEP

24576:5Q+7rOqFARbKlkTPiZ/V2RdpldkWeaoF9pG5QqRtuAZ:5Q+7rOqF8bKuIULp7kWexte

Score

10^/10

sectoprat evasion persistence rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5056-162-0x0000000000810000-0x00000000008B2000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Grandi.exe.pif

description pid process target process

PID 3316 created 756 3316 Grandi.exe.pif Explorer.EXE

description	pid	process	target process
PID 3316 created 756	3316	Grandi.exe.pif	Explorer.EXE

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

jsc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	jsc.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

Grandi.exe.pif

pid process

3316 Grandi.exe.pif
Loads dropped DLL 6 IoCs

Processes:

Grandi.exe.pif

pid process

3316 Grandi.exe.pif
3316 Grandi.exe.pif
3316 Grandi.exe.pif
3316 Grandi.exe.pif
3316 Grandi.exe.pif
3316 Grandi.exe.pif
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

75 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

Grandi.exe.pif

description pid process target process

PID 3316 set thread context of 5056 3316 Grandi.exe.pif jsc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1280 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

232 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2012 taskkill.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4084 PING.EXE
744 PING.EXE

flow	ioc
75	eth0.me

description	pid	process	target process
PID 3316 set thread context of 5056	3316	Grandi.exe.pif	jsc.exe

pid	process
1280	schtasks.exe

pid	process
232	tasklist.exe

pid	process
2012	taskkill.exe

pid	process
4084	PING.EXE
744	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Grandi.exe.pifjsc.exe

pid	process
3316	Grandi.exe.pif
3316	Grandi.exe.pif
3316	Grandi.exe.pif
3316	Grandi.exe.pif
3316	Grandi.exe.pif
3316	Grandi.exe.pif
3316	Grandi.exe.pif
3316	Grandi.exe.pif
5056	jsc.exe
5056	jsc.exe
3316	Grandi.exe.pif
3316	Grandi.exe.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exejsc.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 232 tasklist.exe
Token: SeDebugPrivilege 5056 jsc.exe
Token: SeDebugPrivilege 2012 taskkill.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Grandi.exe.pif

pid process

3316 Grandi.exe.pif
3316 Grandi.exe.pif
3316 Grandi.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Grandi.exe.pif

pid process

3316 Grandi.exe.pif
3316 Grandi.exe.pif
3316 Grandi.exe.pif

description	pid	process
Token: SeDebugPrivilege	232	tasklist.exe
Token: SeDebugPrivilege	5056	jsc.exe
Token: SeDebugPrivilege	2012	taskkill.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.execmd.execmd.exeGrandi.exe.pifjsc.exe

description	pid	process	target process
PID 2116 wrote to memory of 632	2116	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	TapiUnattend.exe
PID 2116 wrote to memory of 632	2116	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	TapiUnattend.exe
PID 2116 wrote to memory of 632	2116	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	TapiUnattend.exe
PID 2116 wrote to memory of 4044	2116	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	cmd.exe
PID 2116 wrote to memory of 4044	2116	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	cmd.exe
PID 2116 wrote to memory of 4044	2116	315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe	cmd.exe
PID 4044 wrote to memory of 1536	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 1536	4044	cmd.exe	cmd.exe
PID 4044 wrote to memory of 1536	4044	cmd.exe	cmd.exe
PID 1536 wrote to memory of 232	1536	cmd.exe	tasklist.exe
PID 1536 wrote to memory of 232	1536	cmd.exe	tasklist.exe
PID 1536 wrote to memory of 232	1536	cmd.exe	tasklist.exe
PID 1536 wrote to memory of 2208	1536	cmd.exe	find.exe
PID 1536 wrote to memory of 2208	1536	cmd.exe	find.exe
PID 1536 wrote to memory of 2208	1536	cmd.exe	find.exe
PID 1536 wrote to memory of 1940	1536	cmd.exe	findstr.exe
PID 1536 wrote to memory of 1940	1536	cmd.exe	findstr.exe
PID 1536 wrote to memory of 1940	1536	cmd.exe	findstr.exe
PID 1536 wrote to memory of 3316	1536	cmd.exe	Grandi.exe.pif
PID 1536 wrote to memory of 3316	1536	cmd.exe	Grandi.exe.pif
PID 1536 wrote to memory of 3316	1536	cmd.exe	Grandi.exe.pif
PID 1536 wrote to memory of 4084	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 4084	1536	cmd.exe	PING.EXE
PID 1536 wrote to memory of 4084	1536	cmd.exe	PING.EXE
PID 3316 wrote to memory of 4460	3316	Grandi.exe.pif	cmd.exe
PID 3316 wrote to memory of 4460	3316	Grandi.exe.pif	cmd.exe
PID 3316 wrote to memory of 4460	3316	Grandi.exe.pif	cmd.exe
PID 3316 wrote to memory of 1280	3316	Grandi.exe.pif	schtasks.exe
PID 3316 wrote to memory of 1280	3316	Grandi.exe.pif	schtasks.exe
PID 3316 wrote to memory of 1280	3316	Grandi.exe.pif	schtasks.exe
PID 4044 wrote to memory of 744	4044	cmd.exe	PING.EXE
PID 4044 wrote to memory of 744	4044	cmd.exe	PING.EXE
PID 4044 wrote to memory of 744	4044	cmd.exe	PING.EXE
PID 3316 wrote to memory of 5056	3316	Grandi.exe.pif	jsc.exe
PID 3316 wrote to memory of 5056	3316	Grandi.exe.pif	jsc.exe
PID 3316 wrote to memory of 5056	3316	Grandi.exe.pif	jsc.exe
PID 3316 wrote to memory of 5056	3316	Grandi.exe.pif	jsc.exe
PID 3316 wrote to memory of 5056	3316	Grandi.exe.pif	jsc.exe
PID 5056 wrote to memory of 2012	5056	jsc.exe	taskkill.exe
PID 5056 wrote to memory of 2012	5056	jsc.exe	taskkill.exe
PID 5056 wrote to memory of 2012	5056	jsc.exe	taskkill.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe
"C:\Users\Admin\AppData\Local\Temp\315b63093ae9218ebdeaeb5120e17d7fa81bc7bae694fff673a205efaadd7b86.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend
3⤵
PID:632

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Confusa.wp5 & ping -n 5 localhost
3⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
5⤵
PID:2208

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NinSXkvlDSHtQcrcJOkLdmfruNxwOsNOWjYiRYKTwErNWmzxiFKRcYFhSxLpRxvjtToDvWDLrsKLcBiGxZToHVaYGKgvjBeGoRIrsPXkwZNrgTSshtPRAhFoApWMHinCftDESrfEeIiIifKMR$" Chiave.wp5
5⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif
Grandi.exe.pif X
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Mondo" /tr "C:\\Users\\Admin\\AppData\\Local\\Temp\\hgTEuEwmXC\\KzmFiRkxPq.exe.com C:\\Users\\Admin\\AppData\\Local\\Temp\\hgTEuEwmXC\\k" /sc minute /mo 3 /F
6⤵
- Creates scheduled task(s)
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
6⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /im chrome.exe /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
5⤵
- Runs ping.exe
PID:4084

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
4⤵
- Runs ping.exe
PID:744

C:\Windows\SysWOW64\cmd.exe
cmd /c echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url" & echo URL="C:\Users\Admin\AppData\Local\Temp\hgTEuEwmXC\XKQJgjogwBm.vbs" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KzmFiRkxPq.url"
2⤵
- Drops startup file
PID:4460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiave.wp5

Filesize
924KB

MD5
6e41cef95094d6cd62ccc384b49653b2

SHA1
990c782d8732d9b0e23d6de4f7bd2fa08ae571f3

SHA256
1efed630d1abb539b246eb664541c762e14dd676cdea4e2063328f6d832aedd2

SHA512
a9cc9e0ce439e60b1a56a3d9d574421676bedddf2da3b3a43844013ff7ab0c9068b29e9940584e2aa19f276f02daf0e960b9cd6a1a690bf93ed0efda5f7803c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Confusa.wp5

Filesize
10KB

MD5
18c08f8da42aa0e34cc45c6f03220edb

SHA1
e150d1eba02d4ea0c7800872f2c3922d6686b930

SHA256
424565ebfca0ab2935e345c4a6e13ad75bf55d11f0997c59e3f1f5eea11d97b8

SHA512
9cf3205af5d1b6cfbcc0e04fed7b7d0de192dddbdeb6dfa12d1cf05adc1fc251e53bfd5ba69cc95adf323dce6ed2fe7b91359f2cd3797a172c1ce6b44e155d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Grandi.exe.pif

Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Per.wp5

Filesize
1.6MB

MD5
4b443bbcf2e9f1c5868c901618632df4

SHA1
ef2973033ce11862227e5fa65a6fc53c45858519

SHA256
c8d782aceefd0d425e97f5c580b54ee7c18550245330d37ab8dba62152818352

SHA512
f9ce3cee530bccb2225bf5de90645b04a152cb99b0876a33db5ec003d07bf16c74105c7367a3e64f55902d59af44b2b890e2647a68026f5e12786eb8e70ed7ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tomt.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tomt.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tomt.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tomt.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tomt.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tomt.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tomt.dll

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
memory/3316-155-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/5056-173-0x00000000069D0000-0x0000000006B92000-memory.dmp

Filesize
1.8MB

Download
memory/5056-168-0x0000000005390000-0x0000000005934000-memory.dmp

Filesize
5.6MB

Download
memory/5056-169-0x0000000004EA0000-0x0000000004F06000-memory.dmp

Filesize
408KB

Download
memory/5056-170-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/5056-171-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/5056-172-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/5056-162-0x0000000000810000-0x00000000008B2000-memory.dmp

Filesize
648KB

Download
memory/5056-174-0x00000000068D0000-0x0000000006946000-memory.dmp

Filesize
472KB

Download
memory/5056-175-0x00000000070D0000-0x00000000075FC000-memory.dmp

Filesize
5.2MB

Download
memory/5056-176-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/5056-177-0x0000000007040000-0x0000000007052000-memory.dmp

Filesize
72KB

Download
memory/5056-178-0x0000000007610000-0x000000000764C000-memory.dmp

Filesize
240KB

Download
memory/5056-184-0x00000000076D0000-0x0000000007720000-memory.dmp

Filesize
320KB

Download