863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e

Analysis

max time kernel
110s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e.exe
Size

1.4MB
MD5

0dad74135677936499c2ff723c0a9712
SHA1

37897e154481cd6634527afd05731f6eccc9dd64
SHA256

863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e
SHA512

3a01cf85838f62ce1a73642079f747be292507d395cbf786e912da47986024a447479c2ebc9dc5d05884741f159b0582bf79d1e2eb16a6e9e51d54590b6b7c07
SSDEEP

24576:U2G/nvxW3Ww0tRp8GiXTBhq7yRDvHcUcjUvy0lr3Tl6icOB/UWoT:UbA30H4zF0UMSAicOB/UWk

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002326c-107.dat	acprotect
behavioral2/files/0x000700000002326c-106.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
1732	7z.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002326d-103.dat	upx
behavioral2/files/0x000700000002326d-104.dat	upx
behavioral2/files/0x000700000002326c-107.dat	upx
behavioral2/memory/1732-105-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/files/0x000700000002326c-106.dat	upx
behavioral2/memory/1732-108-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/1732-110-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral2/memory/1732-112-0x0000000010000000-0x00000000100E2000-memory.dmp	upx
behavioral2/memory/1732-121-0x0000000000400000-0x0000000000432000-memory.dmp	upx

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3952	powershell.exe
3952	powershell.exe
4052	powershell.exe
4052	powershell.exe
4156	powershell.exe
4156	powershell.exe
4848	powershell.exe
4848	powershell.exe
816	powershell.exe
816	powershell.exe
816	powershell.exe
4644	powershell.exe
4644	powershell.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4764	WMIC.exe
Token: SeSecurityPrivilege	4764	WMIC.exe
Token: SeTakeOwnershipPrivilege	4764	WMIC.exe
Token: SeLoadDriverPrivilege	4764	WMIC.exe
Token: SeSystemProfilePrivilege	4764	WMIC.exe
Token: SeSystemtimePrivilege	4764	WMIC.exe
Token: SeProfSingleProcessPrivilege	4764	WMIC.exe
Token: SeIncBasePriorityPrivilege	4764	WMIC.exe
Token: SeCreatePagefilePrivilege	4764	WMIC.exe
Token: SeBackupPrivilege	4764	WMIC.exe
Token: SeRestorePrivilege	4764	WMIC.exe
Token: SeShutdownPrivilege	4764	WMIC.exe
Token: SeDebugPrivilege	4764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4764	WMIC.exe
Token: SeRemoteShutdownPrivilege	4764	WMIC.exe
Token: SeUndockPrivilege	4764	WMIC.exe
Token: SeManageVolumePrivilege	4764	WMIC.exe
Token: 33	4764	WMIC.exe
Token: 34	4764	WMIC.exe
Token: 35	4764	WMIC.exe
Token: 36	4764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4764	WMIC.exe
Token: SeSecurityPrivilege	4764	WMIC.exe
Token: SeTakeOwnershipPrivilege	4764	WMIC.exe
Token: SeLoadDriverPrivilege	4764	WMIC.exe
Token: SeSystemProfilePrivilege	4764	WMIC.exe
Token: SeSystemtimePrivilege	4764	WMIC.exe
Token: SeProfSingleProcessPrivilege	4764	WMIC.exe
Token: SeIncBasePriorityPrivilege	4764	WMIC.exe
Token: SeCreatePagefilePrivilege	4764	WMIC.exe
Token: SeBackupPrivilege	4764	WMIC.exe
Token: SeRestorePrivilege	4764	WMIC.exe
Token: SeShutdownPrivilege	4764	WMIC.exe
Token: SeDebugPrivilege	4764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4764	WMIC.exe
Token: SeRemoteShutdownPrivilege	4764	WMIC.exe
Token: SeUndockPrivilege	4764	WMIC.exe
Token: SeManageVolumePrivilege	4764	WMIC.exe
Token: 33	4764	WMIC.exe
Token: 34	4764	WMIC.exe
Token: 35	4764	WMIC.exe
Token: 36	4764	WMIC.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4932	4752	863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e.exe	89
PID 4752 wrote to memory of 4932	4752	863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e.exe	89
PID 4752 wrote to memory of 4932	4752	863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e.exe	89
PID 4932 wrote to memory of 4440	4932	cmd.exe	94
PID 4932 wrote to memory of 4440	4932	cmd.exe	94
PID 4932 wrote to memory of 4440	4932	cmd.exe	94
PID 4440 wrote to memory of 2520	4440	cmd.exe	95
PID 4440 wrote to memory of 2520	4440	cmd.exe	95
PID 4440 wrote to memory of 2520	4440	cmd.exe	95
PID 4932 wrote to memory of 752	4932	cmd.exe	96
PID 4932 wrote to memory of 752	4932	cmd.exe	96
PID 4932 wrote to memory of 752	4932	cmd.exe	96
PID 752 wrote to memory of 4764	752	cmd.exe	97
PID 752 wrote to memory of 4764	752	cmd.exe	97
PID 752 wrote to memory of 4764	752	cmd.exe	97
PID 4932 wrote to memory of 3952	4932	cmd.exe	98
PID 4932 wrote to memory of 3952	4932	cmd.exe	98
PID 4932 wrote to memory of 3952	4932	cmd.exe	98
PID 4932 wrote to memory of 4052	4932	cmd.exe	102
PID 4932 wrote to memory of 4052	4932	cmd.exe	102
PID 4932 wrote to memory of 4052	4932	cmd.exe	102
PID 4932 wrote to memory of 4156	4932	cmd.exe	103
PID 4932 wrote to memory of 4156	4932	cmd.exe	103
PID 4932 wrote to memory of 4156	4932	cmd.exe	103
PID 4932 wrote to memory of 4848	4932	cmd.exe	105
PID 4932 wrote to memory of 4848	4932	cmd.exe	105
PID 4932 wrote to memory of 4848	4932	cmd.exe	105
PID 4932 wrote to memory of 816	4932	cmd.exe	106
PID 4932 wrote to memory of 816	4932	cmd.exe	106
PID 4932 wrote to memory of 816	4932	cmd.exe	106
PID 4932 wrote to memory of 1732	4932	cmd.exe	109
PID 4932 wrote to memory of 1732	4932	cmd.exe	109
PID 4932 wrote to memory of 1732	4932	cmd.exe	109
PID 4932 wrote to memory of 4644	4932	cmd.exe	112
PID 4932 wrote to memory of 4644	4932	cmd.exe	112
PID 4932 wrote to memory of 4644	4932	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e.exe
"C:\Users\Admin\AppData\Local\Temp\863853779cb75e604f7f561e9d6aaeb2b6dab6209b1b45a4224baf6487a19d5e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ratt.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\nslookup.exe
      nslookup myip.opendns.com. resolver1.opendns.com
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic ComputerSystem get Domain
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get Domain
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionPath "$Env:SystemDrive\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command 'Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local\Temp\ratt.exe"'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\7z.exe
    7z.exe x -o"C:\Users\Admin\AppData\Local\Temp" -y ratt.7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1732
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -executionpolicy RemoteSigned -WindowStyle Hidden -file Add.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
681df2a642a9d7b8a57320a92efae6d1

SHA1
497188fb7ada7c7e9b91e704a918bee6a88485a9

SHA256
239125cb28e2a5b99f73086c71b43e182c03979949e8951d8f75a7ee90d57044

SHA512
785caba3d39f57ca86fc16a29f3d658e3527c357ae4d77a2c8d10a97bbb9925ed54c02d0ab87e2744ede50a2deccb8eee3ac4b7f70798ab5429bf10a83196418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
379fdf75c1ddef569667ec538b5dbdfc

SHA1
7872eaab42eaa3bf144fc83f7ae88df14d36f6b3

SHA256
a6bb29b0286333108abac36408d319d04e56639304f49fac09d15edcd9741350

SHA512
1b4f7e9814e3b651ddffb6d1dc611d6a6dcd4ef591c711a0073e39300d977f1857d8cbf46b0f34b75657592b88fd4505b55dca28fc0304a7b68f151eac993af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
43b2b85d3dcebe71775ed2ad47a6e9ce

SHA1
2b6890ea00af7dd3244818cb214f26ad7091936b

SHA256
1a17fafb13ecf7b67f8f1957df8235d25bae3fa604f85965d213f3e19bb64048

SHA512
2b03070b8ab5b152896513e2c867a2a7811d12c6148f8317d22f3fe7ee38d3307c60b7a8c3d5e7a2733ad6faad1f236438f9c4ea19362c6e377dde948a9eac37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
a99d7eaf7596fa8057df195e228cde58

SHA1
ad5fad7d6e3e28ff76e0b97226515a93e9d2ad3c

SHA256
cc9fe94d2ecde76ce8c377d4ef9054c16db49c0a554d4b4e85a4d1b13e67e232

SHA512
bd1e7b35fbbe35868f101bcd27f7b09332fe438a57e7f811e86f8820ff2b1e0969d6a2ff43bf4c8f2ab023a542f15060b2f41a2d978e7046f49b4cb38333d0ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
7f534f408174aa986c967d85295e217e

SHA1
1222f6c20d4437227a09d3af5d743dace1496af6

SHA256
00beef02d5bbe60d6d1c0c3fc56ed781eaef1b79e8c37cbb5204d9f2fcbb8329

SHA512
7f8bbbed6c6c9ffe03f82fd9b14eb807b36be82ccbcc2a8d66f899c58b707ceb446296a39b699020df1f874e3d20b7726639a886f71a8e1f561291bc42093232

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.dll

Filesize
328KB

MD5
15bbbe562f9be3e5dcbb834e635cc231

SHA1
7c01cf5fa4db2312c5ed2f7b8c41e3e5c346a51a

SHA256
ed50ef8e0b6dd83fb0c3f733329d4aa6e5a3beb3491e2ba9d2ae206813508dde

SHA512
769287951b8c16f4b10c1b58e82612844babe7b5c10445fe848d713fb5e8321bcbbd9780e9c564cffe35ea4144e8a7e19645291c4eea372fcaa19ae395a97287

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z.exe

Filesize
71KB

MD5
8ba2e41b330ae9356e62eb63514cf82e

SHA1
8dc266467a5a0d587ed0181d4344581ef4ff30b2

SHA256
ea2ad8d87b79c8eb3952498c7005a195986436cfd7ca7736dbbdda979142daea

SHA512
2fdfc2d368c70320b3dac00fef06381ef90a2a82a1f3137109b033d84e5b70185039af6ec918012dc03bc9d046cd8d8aee3247ba0f59d394e78f1f73380f7a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Add.ps1

Filesize
1KB

MD5
0df43097e0f0acd04d9e17fb43d618b9

SHA1
69b3ade12cb228393a93624e65f41604a17c83b6

SHA256
c8e4a63337a25f55f75ad10ab2b420d716bad4b35a2044fd39dcd5936419d873

SHA512
01ae71dd2ee040baad6f4b9afcfbaeca2b9f6cc7d60ade5de637238d65c17d74292734666f4ae6b533f6bf1007c46387d8e690d97c3b7a535bcd6f216e70c4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rcyg02aa.vfm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.7z

Filesize
693KB

MD5
7de6fdf3629c73bf0c29a96fa23ae055

SHA1
dcb37f6d43977601c6460b17387a89b9e4c0609a

SHA256
069979bfb2aefe3cac239fe4f2477672eb75b90c9853fb67b2ac1438f2ec44ff

SHA512
d1ef2299aacf429572fd6df185009960e601e49126f080fdced26ec407e5db86eaa902e474635464aac146b7de286667a398f2c5e46c4a821dad2579bfb3acf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.bat

Filesize
1KB

MD5
7ea1fec84d76294d9256ae3dca7676b2

SHA1
1e335451d1cbb6951bc77bf75430f4d983491342

SHA256
9a419095c0bafc6b550f3f760c7b4f91ef3a956cfa6403d3750164ecdbe35940

SHA512
ab712c45081b3d1c7edd03e67a8db1518a546f3fbf00e99838dfe03a689c4867a6953e6603dcd2be458b2441f4a2b70286fd7d096549cfcf032dd2cd54d68317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ratt.exe

Filesize
497.1MB

MD5
4f70edc0e5e8a8c574e43a8b1733460b

SHA1
b2b44b49ff300d4605ecdcd9d699bcf45031432c

SHA256
8fa9639d7378ee5e85f3b86d4cdc4cd7b6f035e466bf8d203ec44b8374c8cf06

SHA512
7eb088629f9af400ebd95cd1ef4df14a94a9ccf2792a04a9a4c4076891c88829899cc92b1bfce9a3e4b2703639375e3fe285bce74f232d85a711e739da9fad44

Download Submit
memory/816-101-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/816-99-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/816-86-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/816-87-0x00000000027E0000-0x00000000027F0000-memory.dmp

Filesize
64KB

Download
memory/816-94-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-105-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1732-112-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/1732-110-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1732-121-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1732-108-0x0000000010000000-0x00000000100E2000-memory.dmp

Filesize
904KB

Download
memory/3952-35-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/3952-32-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/3952-31-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/3952-30-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

Filesize
120KB

Download
memory/3952-29-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/3952-19-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/3952-18-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/3952-17-0x0000000004FF0000-0x0000000005012000-memory.dmp

Filesize
136KB

Download
memory/3952-16-0x0000000005100000-0x0000000005728000-memory.dmp

Filesize
6.2MB

Download
memory/3952-15-0x00000000028F0000-0x0000000002926000-memory.dmp

Filesize
216KB

Download
memory/3952-14-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/3952-13-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4052-37-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4052-53-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4052-39-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4052-38-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4052-49-0x00000000054A0000-0x00000000057F4000-memory.dmp

Filesize
3.3MB

Download
memory/4052-51-0x0000000000E40000-0x0000000000E50000-memory.dmp

Filesize
64KB

Download
memory/4156-69-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/4156-70-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4156-55-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/4156-56-0x0000000000F50000-0x0000000000F60000-memory.dmp

Filesize
64KB

Download
memory/4156-54-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4156-66-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/4644-139-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/4644-125-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4644-127-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4644-126-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4644-137-0x0000000005D30000-0x0000000006084000-memory.dmp

Filesize
3.3MB

Download
memory/4644-141-0x0000000074FC0000-0x0000000075770000-memory.dmp

Filesize
7.7MB

Download
memory/4644-142-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4644-143-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4848-71-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4848-73-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download
memory/4848-85-0x0000000075090000-0x0000000075840000-memory.dmp

Filesize
7.7MB

Download
memory/4848-72-0x0000000002B80000-0x0000000002B90000-memory.dmp

Filesize
64KB

Download