105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe
Size

1.4MB
MD5

19f46c41f3f272a9d8119a738c21d8c6
SHA1

7cafe3ea1336554c7fd31cb64d0d278bc8428b8b
SHA256

105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af
SHA512

7cd233e53213d0bb530b6e73ae023d751ee3cb957ac58764f93b31817bd06ff80a42ae86f96fbb5c11c71ee330f041c56325fe2121198b408fd3ddd42c09515a
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0006000000023092-111.dat	acprotect
behavioral2/files/0x0006000000023092-112.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe

Executes dropped EXE 1 IoCs

pid	Process
672	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
672	7z.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000023093-110.dat	upx
behavioral2/memory/672-109-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/files/0x0006000000023093-108.dat	upx
behavioral2/files/0x0006000000023092-111.dat	upx
behavioral2/files/0x0006000000023092-112.dat	upx
behavioral2/memory/672-113-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/672-115-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/672-117-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/672-122-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1556	powershell.exe
1556	powershell.exe
1172	powershell.exe
1172	powershell.exe
404	powershell.exe
404	powershell.exe
4376	powershell.exe
4376	powershell.exe
3324	powershell.exe
3324	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	4376	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 4828	2752	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe	92
PID 2752 wrote to memory of 4828	2752	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe	92
PID 2752 wrote to memory of 4828	2752	105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe	92
PID 4828 wrote to memory of 4344	4828	cmd.exe	95
PID 4828 wrote to memory of 4344	4828	cmd.exe	95
PID 4828 wrote to memory of 4344	4828	cmd.exe	95
PID 4344 wrote to memory of 3236	4344	cmd.exe	96
PID 4344 wrote to memory of 3236	4344	cmd.exe	96
PID 4344 wrote to memory of 3236	4344	cmd.exe	96
PID 4828 wrote to memory of 4816	4828	cmd.exe	97
PID 4828 wrote to memory of 4816	4828	cmd.exe	97
PID 4828 wrote to memory of 4816	4828	cmd.exe	97
PID 4816 wrote to memory of 760	4816	cmd.exe	98
PID 4816 wrote to memory of 760	4816	cmd.exe	98
PID 4816 wrote to memory of 760	4816	cmd.exe	98
PID 4828 wrote to memory of 1556	4828	cmd.exe	99
PID 4828 wrote to memory of 1556	4828	cmd.exe	99
PID 4828 wrote to memory of 1556	4828	cmd.exe	99
PID 4828 wrote to memory of 1172	4828	cmd.exe	108
PID 4828 wrote to memory of 1172	4828	cmd.exe	108
PID 4828 wrote to memory of 1172	4828	cmd.exe	108
PID 4828 wrote to memory of 404	4828	cmd.exe	109
PID 4828 wrote to memory of 404	4828	cmd.exe	109
PID 4828 wrote to memory of 404	4828	cmd.exe	109
PID 4828 wrote to memory of 4376	4828	cmd.exe	110
PID 4828 wrote to memory of 4376	4828	cmd.exe	110
PID 4828 wrote to memory of 4376	4828	cmd.exe	110
PID 4828 wrote to memory of 3324	4828	cmd.exe	111
PID 4828 wrote to memory of 3324	4828	cmd.exe	111
PID 4828 wrote to memory of 3324	4828	cmd.exe	111
PID 4828 wrote to memory of 672	4828	cmd.exe	112
PID 4828 wrote to memory of 672	4828	cmd.exe	112
PID 4828 wrote to memory of 672	4828	cmd.exe	112
PID 4828 wrote to memory of 1936	4828	cmd.exe	118
PID 4828 wrote to memory of 1936	4828	cmd.exe	118
PID 4828 wrote to memory of 1936	4828	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe
"C:\Users\Admin\AppData\Local\Temp\105e455731e490cb5fd0c456f265dc986842d3d69906ad6b94235d19255931af.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:760
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3324
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
84f5492e94014cb13368a27c47765f11

SHA1
abcc2075261d697c76fbcb2af17fb031fc1be2a6

SHA256
c16fadf27ec7606b8607de68330c2fbf649948d0fe6e0d7b921e483e28db7e05

SHA512
56197d0653f00a98cae18330cb90e7c40ee450478779048b6a6b74a9750c9877eaaab797bb3a54c501c95b03abf2ab51e4fc8832806d46628c4025e241a6a730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
201f326ada598f09e4f97b3fdcdfa967

SHA1
3626c2254922e978e2322c0084b0b8f4cd1fcf28

SHA256
1d9761cbf7212f728b2f8e202d5d5f35c76540dcd591c6186fba9c5b19f3a745

SHA512
db6fa97f1e4d017bd83c64e6adc02685de42cb8987e514cc52416618beff762aa4f40ed65a8ed5baba3a163318dae566f491c16df5a14dd6b67832c158bcd296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
34d79ed23e5f762847a2d2ca824cc64f

SHA1
fc369f1f31e6fbd332c430ffe848fece91f1c54f

SHA256
4f8ce6e67695bd460826d0ad17063529b6725ac4c37eb02ac830832f3ea01174

SHA512
e2503f77a84818bb93fb4c8604e826d875b3d7de47bffb7b4e8a8a8f0be4c477ab7553eaf16e8dde15079945aad1c977160cc4ee91316eef84c6ba981660b312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
8ab2e28c498a1d52081911d3f816852f

SHA1
a70d12081a8ab46909f8ed36db9479351de5a966

SHA256
caae6f2b82415a4afc88ad4f331b1a212048b08a960b88d17581592ca0d4c311

SHA512
3d2184422e03ace2034934d2a0633b7a1b73686cc3f71b08954bae014254e6662985acb4773c10dff9a46475b9c4e846e71b3d7e6514778c8c961107e2908558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
27671dba95b441f127681c4dca306ded

SHA1
4f29423759f603e946353ee2a634f7535e793e39

SHA256
1a7e4e0c348f2ad597cc94306a8dc07c5c18c9d40c1122e8bda0e2a8b6749547

SHA512
0ca850cf1b20b134bb6e6aa933f32cb183c5564976a7cbb619d76a5cb3e162752108e4eaf81b158480c7f718aab864aa14ae615c1f3d1c3a3b5b2fb6855ccee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptkq3b4s.vvw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
51.1MB

MD5
6e6f816c5dc792ac25d8133d855e3ab7

SHA1
a72d1005d7522bede06596ad61d524d2906df0a5

SHA256
9e8f26dca25477645432b64293f4ea321c195ab7a1dfea1b00e248d949db7c90

SHA512
a1bc1a84c6000e9e40f0b6934a45f944bf884bd46ac1b2749b8c0080ad5f02b42edc360aa5aa8921579e960b7406a6d271bbe059b2c1626f5f5f800aad0a63ce

Download Submit
memory/404-72-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/404-60-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/404-73-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/404-59-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/404-58-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/672-109-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/672-113-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/672-122-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/672-117-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/672-115-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1172-41-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1172-54-0x0000000006DC0000-0x0000000006E0C000-memory.dmp

Filesize
304KB

Download
memory/1172-55-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1172-57-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/1172-42-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/1172-40-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/1172-48-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/1556-16-0x0000000004C90000-0x00000000052B8000-memory.dmp

Filesize
6.2MB

Download
memory/1556-38-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-13-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-14-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1556-28-0x0000000005550000-0x00000000058A4000-memory.dmp

Filesize
3.3MB

Download
memory/1556-15-0x00000000024D0000-0x0000000002506000-memory.dmp

Filesize
216KB

Download
memory/1556-35-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1556-34-0x0000000005AC0000-0x0000000005B0C000-memory.dmp

Filesize
304KB

Download
memory/1556-33-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/1556-17-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/1556-22-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/1556-18-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1556-19-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/1556-21-0x0000000005470000-0x00000000054D6000-memory.dmp

Filesize
408KB

Download
memory/1556-20-0x0000000004B20000-0x0000000004B42000-memory.dmp

Filesize
136KB

Download
memory/1936-126-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/1936-139-0x00000000065C0000-0x000000000660C000-memory.dmp

Filesize
304KB

Download
memory/1936-128-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1936-127-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/3324-90-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-92-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3324-106-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/3324-91-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/3324-102-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3324-104-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4376-75-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/4376-89-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-74-0x0000000073F00000-0x00000000746B0000-memory.dmp

Filesize
7.7MB

Download
memory/4376-79-0x0000000006120000-0x0000000006474000-memory.dmp

Filesize
3.3MB

Download
memory/4376-76-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download