a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8.exe
Size

1.4MB
MD5

ff14c0880e31b2dc2b45a74df26055a9
SHA1

81a1c198140d0e7afc28d90df3d23a5c76816895
SHA256

a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8
SHA512

e81eb575dc12467e5f0f12fd0526be4541b4a352fd1fbc1e09bc7708a9715654c53f26ca9defdf25f56a4b2c47536ccbf4b853c4ac289e2f323cb9ac3b8dfb9a
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000300000002287e-107.dat	acprotect
behavioral2/files/0x000300000002287e-108.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
2056	7z.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2056-105-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/files/0x00080000000231e8-106.dat	upx
behavioral2/files/0x00080000000231e8-104.dat	upx
behavioral2/files/0x000300000002287e-107.dat	upx
behavioral2/files/0x000300000002287e-108.dat	upx
behavioral2/memory/2056-109-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/2056-111-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/2056-112-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/2056-129-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4356	powershell.exe
4356	powershell.exe
3712	powershell.exe
3712	powershell.exe
4792	powershell.exe
4792	powershell.exe
3316	powershell.exe
3316	powershell.exe
4928	powershell.exe
4928	powershell.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2508	WMIC.exe
Token: SeRemoteShutdownPrivilege	2508	WMIC.exe
Token: SeUndockPrivilege	2508	WMIC.exe
Token: SeManageVolumePrivilege	2508	WMIC.exe
Token: 33	2508	WMIC.exe
Token: 34	2508	WMIC.exe
Token: 35	2508	WMIC.exe
Token: 36	2508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2508	WMIC.exe
Token: SeRemoteShutdownPrivilege	2508	WMIC.exe
Token: SeUndockPrivilege	2508	WMIC.exe
Token: SeManageVolumePrivilege	2508	WMIC.exe
Token: 33	2508	WMIC.exe
Token: 34	2508	WMIC.exe
Token: 35	2508	WMIC.exe
Token: 36	2508	WMIC.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 3660	760	a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8.exe	88
PID 760 wrote to memory of 3660	760	a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8.exe	88
PID 760 wrote to memory of 3660	760	a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8.exe	88
PID 3660 wrote to memory of 2436	3660	cmd.exe	91
PID 3660 wrote to memory of 2436	3660	cmd.exe	91
PID 3660 wrote to memory of 2436	3660	cmd.exe	91
PID 2436 wrote to memory of 1704	2436	cmd.exe	92
PID 2436 wrote to memory of 1704	2436	cmd.exe	92
PID 2436 wrote to memory of 1704	2436	cmd.exe	92
PID 3660 wrote to memory of 1560	3660	cmd.exe	93
PID 3660 wrote to memory of 1560	3660	cmd.exe	93
PID 3660 wrote to memory of 1560	3660	cmd.exe	93
PID 1560 wrote to memory of 2508	1560	cmd.exe	94
PID 1560 wrote to memory of 2508	1560	cmd.exe	94
PID 1560 wrote to memory of 2508	1560	cmd.exe	94
PID 3660 wrote to memory of 4356	3660	cmd.exe	95
PID 3660 wrote to memory of 4356	3660	cmd.exe	95
PID 3660 wrote to memory of 4356	3660	cmd.exe	95
PID 3660 wrote to memory of 3712	3660	cmd.exe	100
PID 3660 wrote to memory of 3712	3660	cmd.exe	100
PID 3660 wrote to memory of 3712	3660	cmd.exe	100
PID 3660 wrote to memory of 4792	3660	cmd.exe	102
PID 3660 wrote to memory of 4792	3660	cmd.exe	102
PID 3660 wrote to memory of 4792	3660	cmd.exe	102
PID 3660 wrote to memory of 3316	3660	cmd.exe	104
PID 3660 wrote to memory of 3316	3660	cmd.exe	104
PID 3660 wrote to memory of 3316	3660	cmd.exe	104
PID 3660 wrote to memory of 4928	3660	cmd.exe	105
PID 3660 wrote to memory of 4928	3660	cmd.exe	105
PID 3660 wrote to memory of 4928	3660	cmd.exe	105
PID 3660 wrote to memory of 2056	3660	cmd.exe	107
PID 3660 wrote to memory of 2056	3660	cmd.exe	107
PID 3660 wrote to memory of 2056	3660	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8.exe
"C:\Users\Admin\AppData\Local\Temp\a3a6f1efd5e9dfbb3f1516625e042240d88139995e3a56c9ad6215794f5d30e8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4356
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8849c19be147e937de578fda0ea60b90

SHA1
18fa2e83736e114a98bdc6de71efadec7fe86aee

SHA256
945143bfb354ce69b60148ea95bdf82ff0a70723a1cefee3c72a3c7d82dbfc7b

SHA512
16bc36701b71e99d5549f58ad22a5ee53c01dd0876467f78e631637db9d50b393947a58a086e1d88f147d221b1d8cbf9801bf52f666239c2b6dcdd1b7a4a1916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
d3740a9a814855e23046e14f6d358453

SHA1
8cbce94e157becc7d75217203f8fd01e36ac93ca

SHA256
2281fb2548b2dd7631426c0c0cc475463e05b542205b5146496ee2b4a5a3fd7a

SHA512
64545328886f5cba9c9644d52c21a2682a0924a331f86382a63ee461cb2139386868c21fb5ec11f8309691f447a69328327f3a45f7b2b986cd50487addcf31d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
279559b61e453f5d1bf3372fe51fe51e

SHA1
12aab304854d7165bde1d4b7e77b7bfd3e2b5b6f

SHA256
f2733d066149670d34d8892416bfdb3dd0ddba1adcd8ead6f5ae86ea51dd8063

SHA512
dc135650bb3b8cc05dc8f28579c483502ae677649029419afae662798e4528f43cf3b5bdeca3b81b94e46c8daa7bc9e709a2ca927e2c88faf782f0620e08856a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
71d0387e0dd4430c2005ff7e2f8ee7c6

SHA1
c5a1e70a8eed7ba2b2170c4d0e3a5e06852a9ebc

SHA256
5178084da9cc167b687d676dab5a5aff466406213fd2a0683391b4b025588b45

SHA512
858bbc9136fe718d99b94c704d98f9eefa2861a6349dd8459f345260b9a6d7bec92c1d404dbef3f63d246eefca437d4af4ab23a743dc138a22cf09481faf0293

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uzbgmo2c.apy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
36.5MB

MD5
c53233eeca53bf32de481dd57c4dabe2

SHA1
ce54a4357916b62a930bd986f591d1dee0053478

SHA256
c4a1c46fda53e36e16cec7ee087a7561f820063bc772c2bc09e5aff9881e5614

SHA512
d375d4e1db8de5d5c199ad8c4237a500518fdb2de9b26db8fbce8358bcf0dbad3d5b76ffb37aaf346cedcc9b8d61b72c4c60ca311ee72750891d26f11c055371

Download Submit
memory/2056-129-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2056-111-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2056-109-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/2056-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2056-112-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/3316-72-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3316-73-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3316-71-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3316-86-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3316-84-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3712-51-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3712-53-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3712-40-0x00000000054A0000-0x00000000057F4000-memory.dmp

Filesize
3.3MB

Download
memory/3712-39-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3712-38-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3712-37-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4356-35-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4356-32-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4356-31-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/4356-30-0x0000000005380000-0x000000000539E000-memory.dmp

Filesize
120KB

Download
memory/4356-29-0x0000000006070000-0x00000000063C4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-19-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/4356-18-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/4356-17-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/4356-16-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/4356-15-0x00000000050C0000-0x00000000050F6000-memory.dmp

Filesize
216KB

Download
memory/4356-14-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4356-13-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-66-0x0000000005F20000-0x0000000006274000-memory.dmp

Filesize
3.3MB

Download
memory/4792-70-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4792-68-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4792-56-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4792-55-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4792-54-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-102-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-95-0x0000000005AB0000-0x0000000005E04000-memory.dmp

Filesize
3.3MB

Download
memory/4928-88-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4928-89-0x0000000002A80000-0x0000000002A90000-memory.dmp

Filesize
64KB

Download
memory/4928-87-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download