553aeddfd29dd28d8c0ed650aee5a6f70678d2630e59548338532348ded56fab

Analysis

max time kernel
30s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Size

6.2MB
MD5

c92c59fa1503d65d1d67a578928e3c55
SHA1

0cb1106bde45dd5be118bb7b9ebb2be3e41b7203
SHA256

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50
SHA512

1f8c714bfc23bd642ec6f4e5539ac1585e0cd8a54ba2b72ff06d7b4f0dd94589a8e6ab41b689f11f51425067784e071eeffc7e803470d55793492d38f6d11241
SSDEEP

196608:CIgAn6JaxBEvXUJyXEJDNfZJoExr77dZWoNMUyr:SA6YxBYXY+sJokFZWdUy

Score

9^/10

evasion

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
4784	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exewinserv.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 1 IoCs

Processes:

winserv.exe

pid	Process
3624	winserv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
63	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
1784	schtasks.exe
2208	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
3696	timeout.exe

NTFS ADS 2 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exewinserv.exe

pid	Process
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
3624	winserv.exe
3624	winserv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

winserv.exe

pid	Process
3624	winserv.exe
3624	winserv.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe

description	pid	Process	procid_target
PID 4584 wrote to memory of 1784	4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	92
PID 4584 wrote to memory of 1784	4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	92
PID 4584 wrote to memory of 2208	4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	94
PID 4584 wrote to memory of 2208	4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	94
PID 4584 wrote to memory of 3624	4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	96
PID 4584 wrote to memory of 3624	4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	96
PID 4584 wrote to memory of 3624	4584	4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe
"C:\Users\Admin\AppData\Local\Temp\4d82679e58ebb79116a82dade9fe359fe72c348780dd8a6cfdc3469fe6a49c50.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:1784
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Creates scheduled task(s)
  PID:2208
- C:\ProgramData\Windows Tasks Service\winserv.exe
  "C:\ProgramData\Windows Tasks Service\winserv.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3624
- - C:\ProgramData\Windows Tasks Service\winserv.exe
    "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
    3⤵
    PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
  2⤵
  PID:1524
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного рабочего стола" John /add
    3⤵
    PID:1292
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
      4⤵
      PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
  2⤵
  PID:4460
- - C:\Windows\system32\net.exe
    net localgroup "Пользователи удаленного управления" john /add" John /add
    3⤵
    PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
  2⤵
  PID:4244
- - C:\Windows\system32\net.exe
    net localgroup "Administradores" John /add
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
  2⤵
  PID:4428
- - C:\Windows\system32\net.exe
    net localgroup "Remote Desktop Users" john /add
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user John 12345 /add
  2⤵
  PID:3132
- C:\ProgramData\RDPWinst.exe
  C:\ProgramData\RDPWinst.exe -i
  2⤵
  PID:2164
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
    3⤵
    - Modifies Windows Firewall
    PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
  2⤵
  PID:4348
- - C:\Windows\system32\timeout.exe
    timeout 5
    3⤵
    - Delays execution with timeout.exe
    PID:3696

C:\Windows\system32\net.exe
net user John 12345 /add
1⤵
PID:4056
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 user John 12345 /add
  2⤵
  PID:4088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
1⤵
PID:4312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administrators" John /add
1⤵
PID:1816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
1⤵
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Administradores" John /add
1⤵
PID:1780

C:\Windows\system32\net.exe
net localgroup "Administrators" John /add
1⤵
PID:1160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup "Администраторы" John /add
1⤵
PID:4360

C:\Windows\system32\net.exe
net localgroup "Администраторы" John /add
1⤵
PID:3008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1944

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
PID:1784

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
57KB

MD5
1559a1a7ffd21f95e2132c83a264658e

SHA1
7df2eafb31a5fd3cf7fdbd963cbb89a7e64d20f0

SHA256
b53cf05e1667c2783739a10ebeccb0a9cb78876faba47ac8e121d8f9f1ee3596

SHA512
c48600dea91af40ec3d8d16cbfc503508d5d35427a15e572885fb4ade6a4b6fa9d17a9602d18b15d3121a99c4fefacee8673fae7350fc11d41f738de8397d65a

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
77KB

MD5
37217ae424426645936ca20f624ec8c8

SHA1
afcb10476fdd317f0bf58628b09e37e532a45948

SHA256
33db901abf90cf71e690852e8359264de3da888c6766eea0d239b837e428cfee

SHA512
c5e7b1126ad483692c2c858429e7804ffda1569f6a1a53565200d8364ec87bae776346174efda3c5cb23b0b09b067fbe698baedc7ad2865a891573d44c632cf6

Download Submit
C:\ProgramData\RDPWinst.exe

Filesize
58KB

MD5
e2585e97e16ad16922bc5846286e8205

SHA1
fa5db02ffbecfc22bba444c58a9d17474cd145d4

SHA256
9cc0a0ae5c18758e2fd89253e60b1f57708245e501364ee7317947544aec34a1

SHA512
c9e20f65f2a7f18438f8828be9cdcd39aefee4305f77a78ac7ebb261e8a38b2fbd03a9022ef089d3015dd6f592e21e79fa7afb53e135faa1aaa1ae2a46d8a59b

Download Submit
C:\ProgramData\Windows Tasks Service\settings.dat

Filesize
2KB

MD5
e21b95f6f2e5a0483e40b4caef16c718

SHA1
4310628908a9ff2c30064700f90a502cb3e13e49

SHA256
5deccd3b77e7f261ca0d427f0aa7dbdabb1d8c4ba92672a15855949813a16a58

SHA512
fd5b05a1f42ab36b39b4bfd08a244362b456bd5ecaee14912538d9a2d9c26583b0b824c4d606ae5e869cc143ea67d48269204dd5897878f35360439fd61246f2

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
755KB

MD5
7fe523fe32cb92ad5d2e07a26b4fe4f6

SHA1
0963973b5c80f0013d4703c40ea308ce42f64c90

SHA256
6f8fd983150d66df898cad3fbb5c6177b45a9690ac5117e59041d05f085d703d

SHA512
eb889e1278b2c3ece94ad34ca12bf15ce6dd58a62e6f917f30b628da38dceb5190b2d15516ac63900f7806cbb20ba9a8679b2ab5999a15a731383da682455b1e

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
12KB

MD5
61a0d93245755a1a483a7116b350c1f1

SHA1
0e743b53145b43ba4504f7434c99ebb9c32c6b2e

SHA256
49fabc18a75d1bb4b397ce853666925ff8afb674ea18692c751cdf928821acd0

SHA512
f03decfc80f5071158ba688113604125faf88ef5770786466b2b90c54c84aabd7e8e3dc263e4229875dea6baf26820ad6448804f8657e138ddfb9af5b957d72d

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
40KB

MD5
69e55dd701decd6f85ff0dc479da1c64

SHA1
8a8f73aad22bb65865ee2df3ba79e56f6a03f4d5

SHA256
37bfccbbaa921791abb71f3ba0e26b70a6935b96818bf5568808886577eb4a25

SHA512
be316b0ace5c70c37bfe22d30cee2a8ae08fe52ffad1860b2d399d9d3c2df6098d97d6c5b37c065d9057e1fcafc024c14a9f08402ec48607f4ef0566a9afbdc0

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
1.5MB

MD5
4f93dce68945700cdc097fc4c632b888

SHA1
e39794cf03e7a3736a1f2c760f46e56428bc2e40

SHA256
929c34d9c6a4e1c45eb2372587c149cae2c72f8c308d0adef4bd2c9660a6752d

SHA512
1fe9d8b2abbaf0561fa2c15872b930fbe3f2518b7c318dbea557b8fc0a3e914c60d99cc65be09034a80588386485c2688273b76d5a3343dccd54c755586a0d09

Download Submit
C:\ProgramData\Windows Tasks Service\winserv.exe

Filesize
14KB

MD5
47ae4ad148e9dd397dd42105535e4fb8

SHA1
7509b0527433e0a5e23135913090d30123ebe48c

SHA256
d54c6d2bc08bedb2c568ee8817c530a941f6804e477602d997c2f86d50f2fc28

SHA512
bb59347278d36b38d3f9455cf07d20714a100f44d48449641d6918157da2924392011d047e683123eb36901d9b58c1c6869aef6c15196ac8801e361b0d732167

Download Submit
C:\Programdata\Install\del.bat

Filesize
315B

MD5
155557517f00f2afc5400ba9dc25308e

SHA1
77a53a8ae146cf1ade1c9d55bbd862cbeb6db940

SHA256
f00d027b0ed99814846378065b3da90d72d76307d37b7be46f5a480f425a764e

SHA512
40baee6e6b22c386886d89172ad7c17605166f992f2d364c68d90b9874ab6f7b85e0accc91e83b4fbd2ae702def365f23542f22f6be7ff2f7949496cc0ba8a32

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.dll

Filesize
62KB

MD5
257186c6f1c29f1adb970927f288a99c

SHA1
8f5c0008ede2e49e6fd1d128611a2b9fc51aa1c1

SHA256
656a0cc3bd0f356d25ea88c9bebc4b5f68185d5acc76f596e04591506d4b8dee

SHA512
6f4d2c7c0eb8227781aee127fa1af08d49885ec78fa72e71b526c49dcd3c501379da463009be886a9ff18e80c40ca8b6684957eb9f3e1f07b85d184042836784

Download Submit
memory/1480-100-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1480-101-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/1480-98-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1784-78-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1784-80-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1784-79-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/1784-77-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/2164-64-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3624-18-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/3624-17-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3624-16-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3624-22-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3624-15-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3624-19-0x00000000047D0000-0x00000000047D1000-memory.dmp

Filesize
4KB

Download
memory/3624-14-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3624-13-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3624-12-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/3624-11-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-30-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-41-0x0000000005F20000-0x0000000005F21000-memory.dmp

Filesize
4KB

Download
memory/4516-44-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-45-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/4516-39-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/4516-40-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/4516-60-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-61-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/4516-31-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4516-32-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/4516-36-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4516-65-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-67-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-38-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4516-37-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4516-35-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-34-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4516-29-0x0000000004980000-0x0000000004981000-memory.dmp

Filesize
4KB

Download
memory/4516-26-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4516-82-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-27-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/4516-93-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-25-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/4516-24-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-23-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/4516-21-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download