e8d786577061f8b771e8dc4327d8a456e5e0aca5de42453672d20842a8413dd9

Analysis

max time kernel
92s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe
Size

14.6MB
MD5

3781ce7aa4b0516d0d34e319426f1171
SHA1

bf54422d2de53c4fe1397382ce188ac412e6c668
SHA256

e8d786577061f8b771e8dc4327d8a456e5e0aca5de42453672d20842a8413dd9
SHA512

af30bfcc8f31af3433ab847b86f566a60b6349f74c55a39c31a3846e53e08c44ae136090f4e1a0d0ec42680890ab4fdc30b8601b2dfd0e44f9bd09ac58049ec7
SSDEEP

196608:XyfE81fmwzIbkM3MYpLn90O5DfgIs5mFwFILAifU3WAsaVVKdmls7t:+z1KMYpr9FDfgIw9icmAse

Score

10^/10

bootkit discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2104	XmpLiveUD.exe

Loads dropped DLL 6 IoCs

pid	Process
2104	XmpLiveUD.exe
2104	XmpLiveUD.exe
2104	XmpLiveUD.exe
2104	XmpLiveUD.exe
2104	XmpLiveUD.exe
2104	XmpLiveUD.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	XmpLiveUD.exe
File opened (read-only)	\??\P:	XmpLiveUD.exe
File opened (read-only)	\??\Q:	XmpLiveUD.exe
File opened (read-only)	\??\U:	XmpLiveUD.exe
File opened (read-only)	\??\W:	XmpLiveUD.exe
File opened (read-only)	\??\E:	XmpLiveUD.exe
File opened (read-only)	\??\L:	XmpLiveUD.exe
File opened (read-only)	\??\N:	XmpLiveUD.exe
File opened (read-only)	\??\O:	XmpLiveUD.exe
File opened (read-only)	\??\R:	XmpLiveUD.exe
File opened (read-only)	\??\Y:	XmpLiveUD.exe
File opened (read-only)	\??\J:	XmpLiveUD.exe
File opened (read-only)	\??\K:	XmpLiveUD.exe
File opened (read-only)	\??\T:	XmpLiveUD.exe
File opened (read-only)	\??\V:	XmpLiveUD.exe
File opened (read-only)	\??\X:	XmpLiveUD.exe
File opened (read-only)	\??\B:	XmpLiveUD.exe
File opened (read-only)	\??\G:	XmpLiveUD.exe
File opened (read-only)	\??\H:	XmpLiveUD.exe
File opened (read-only)	\??\I:	XmpLiveUD.exe
File opened (read-only)	\??\S:	XmpLiveUD.exe
File opened (read-only)	\??\Z:	XmpLiveUD.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XmpLiveUD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XmpLiveUD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XmpLiveUD.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XmpLiveUD.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4316	ipconfig.exe
2512	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	XmpLiveUD.exe
2104	XmpLiveUD.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe
Token: 33	4108	mmc.exe
Token: SeIncBasePriorityPrivilege	4108	mmc.exe
Token: 33	4108	mmc.exe
Token: SeIncBasePriorityPrivilege	4108	mmc.exe
Token: SeDebugPrivilege	2104	XmpLiveUD.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4108	mmc.exe
4108	mmc.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 2400	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	86
PID 3412 wrote to memory of 2400	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	86
PID 2400 wrote to memory of 4316	2400	cmd.exe	88
PID 2400 wrote to memory of 4316	2400	cmd.exe	88
PID 3412 wrote to memory of 1472	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	89
PID 3412 wrote to memory of 1472	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	89
PID 3412 wrote to memory of 1396	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	91
PID 3412 wrote to memory of 1396	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	91
PID 1396 wrote to memory of 4944	1396	cmd.exe	93
PID 1396 wrote to memory of 4944	1396	cmd.exe	93
PID 1396 wrote to memory of 868	1396	cmd.exe	94
PID 1396 wrote to memory of 868	1396	cmd.exe	94
PID 1396 wrote to memory of 4856	1396	cmd.exe	95
PID 1396 wrote to memory of 4856	1396	cmd.exe	95
PID 3412 wrote to memory of 8	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	96
PID 3412 wrote to memory of 8	3412	2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe	96
PID 4108 wrote to memory of 2104	4108	mmc.exe	99
PID 4108 wrote to memory of 2104	4108	mmc.exe	99
PID 4108 wrote to memory of 2104	4108	mmc.exe	99
PID 2104 wrote to memory of 4036	2104	XmpLiveUD.exe	101
PID 2104 wrote to memory of 4036	2104	XmpLiveUD.exe	101
PID 2104 wrote to memory of 4036	2104	XmpLiveUD.exe	101
PID 4036 wrote to memory of 2512	4036	cmd.exe	103
PID 4036 wrote to memory of 2512	4036	cmd.exe	103
PID 4036 wrote to memory of 2512	4036	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_3781ce7aa4b0516d0d34e319426f1171_moonbounce_ryuk.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4316
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\ppi8f.xml
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:1472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\4SRaG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:4944
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:868
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
    3⤵
    - UAC bypass
    PID:4856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\DvQn3\Dj4hU~c\p+C:\Users\Public\Pictures\DvQn3\Dj4hU~c\w C:\Users\Public\Pictures\DvQn3\Dj4hU~c\xlstat4.dll
  2⤵
  PID:8

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Public\Pictures\DvQn3\Dj4hU~c\XmpLiveUD.exe
  "C:\Users\Public\Pictures\DvQn3\Dj4hU~c\XmpLiveUD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ipconfig /all
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /all
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4SRaG.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\NH.txt

Filesize
179KB

MD5
197801fc836f4e66a9c7494ce8b34d7d

SHA1
fd8cb85cde4c300336e022af0b255c7df51ad5ff

SHA256
f7fab17cffd3457cf0f9539e136b420b5f817342c5dcc82c8773137969429e60

SHA512
2f238bb54b37240bb3ac52fc31b6fb49374005de137a2f8890e216ee9a9a93fc7192e1c56dbe8f913a807ce7b1ea0c97e762be16947d8ddb700fd00f0710c506

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\SSLEAY32.dll

Filesize
371KB

MD5
7456818a22dad2c0965580d8bbf4cabd

SHA1
548714607df2ec3b7c8a22cfba3a1776e6e80861

SHA256
f3a288c5455b074fe9c9d5a160adeb49e84bbe1832b5fcbe8f26093215192f65

SHA512
13f6589bd9c0c60a3df63325c57e94129761adc558d1a65eb4c6e138e6155dd9dbe501d45edde282219dc357593458f5f84a29188d123dcb7770e7479f6a7e68

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\XLLiveUpdateAgent.dll

Filesize
935KB

MD5
95510f67cf120d180362fd2d3ec23d9c

SHA1
4787cfb2398fd3285be85e52be633f454bb48ff6

SHA256
9f64fdbf96b10a185c51bf9e7d6199e44a5ef3255de40a0a447cf556ac7675f0

SHA512
4caf48792686a89e8397813a6b0246b274986e7fdf245d0b1aa3e36b7e9de0be7b618cd483871f76769a569a7b896f5b9f461f62f4d26cedbf257cc74c69f562

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\XmpLiveUD.exe

Filesize
4.8MB

MD5
5fccddc84705ef583e1e105a706a4cea

SHA1
fd62980ab42f9062cb2cae7fb432169a660a9391

SHA256
b09997d6da86ae913039327a1ca291a405d741722be660046db75e9b76b3176c

SHA512
b9a690bf3c01e4e111c1139fac883265d8b97c96d9d6ae2bb4e9c303a622ab2c67b6acd058534f7afb14d9d2f0aa48eefea83d73ebaa7b972ff3c75c0723c4ac

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\libcurl.dll

Filesize
706KB

MD5
4b5dfd7e9ac50a741b5ac6102b30cbf5

SHA1
c3ae8f11f12b2160055a28ee8cd0f14d215864dc

SHA256
8fbb6e1c42d6ea9fb1f5651d0cad370cbd36fda89035568c460193b1ae316cdc

SHA512
9099874416956b53bb7a8d63a215f0e40ae806d21bdad6fcdba002f35c5b3d8827c7d5e5c9500a356a7bdf7a3d402c3d8851dd0df69a72fed752277f32b210cc

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\libeay32.dll

Filesize
1.4MB

MD5
ff5c63efbba91a0eec9fc645da655b4c

SHA1
d225ceff3601b57add69df7d854b2348a8980255

SHA256
e1fbb97ff3607d569d584f78ce77a9dd2cf64dca05aebdbf3e55c9711e07b3be

SHA512
96b963823d7a28e4d4ecd703aa26ad3d3e1d4086e09a4cc08ca88c30c9b8ceb42b7daf184e33b9175f87a566e78028cca3e6ab90ed6537598677f27b15eefce5

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\libexpat.dll

Filesize
379KB

MD5
0cdb376595b90c8e40169a7332c609cc

SHA1
0e47e06237f27388437d8631d055e78a34b37e03

SHA256
31d2076066107bd04ab24ff7bbdf8271aa16dd1d04e70bd9cc492e9aa1e6c82b

SHA512
3062a64d412d69996d36caf7acf1dd040941ab9adf26841fcb103d4711ffcb8e3a8deaa9374042c882e1e4c3ad51e4d294498c398d2b6adf0f1c6669d6f1d94b

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\p

Filesize
995KB

MD5
5d053b14abbf373becdacfd37255d66f

SHA1
1cdacdcdec218ff012833c6d2112b442a93faa3e

SHA256
d3b68aeaa2790263fa3dcac20180301f9799b0cdcd128ae7605fe0be04fcebd0

SHA512
21097a855e11a75726c10e8f752e544f1b2653e31a62533e781ca684e6634c749bd8eaa8f604b0c5c2d10ab6cd945fb77e11ed9cc3390afd84c9bb1cf9b5af96

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\w

Filesize
995KB

MD5
fca0e9a74dc82526abd10b22e4bd606a

SHA1
31fdb518ca35520ab41a98d56c69f18aa8291deb

SHA256
ad2156d8e8bb8822681724ae7130113a37894d78734ac4abed49a59b8e705101

SHA512
1bfdf57b3ef863ac3481504f051a446a025983560460eb3b09d46cdfb6693625de778c39f3251c91ba195b500f999d5f1df584e6e0af053ac3c08c836a347e66

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\xlstat4.dll

Filesize
1.9MB

MD5
a649287732a25bdbe4eae298947a25b5

SHA1
08b698b504e99aa9a996d4c2f32ef3b621f582a1

SHA256
0582645b1d67fbc001537d570c9018a35a9fb516f8193d672bae9994f6bb9cd9

SHA512
e1f58950f05f8d5488f783509a54d920ed714e759fd9bb71b69c2412698b6ecfe02399770b98ea10ff62753da55daf75b527759a01270f980bfb5cd0ac85c72e

Download Submit
C:\Users\Public\Pictures\DvQn3\Dj4hU~c\zlib1.dll

Filesize
396KB

MD5
9fcbcfd38da2498cb14936f04b6364b7

SHA1
b43a72cd5e1f12579f65e7d09b72f38802b5e02e

SHA256
f16ed7812cbe5b17edce48a3de195157fe558f4ee8fc8024d239be5b03938b16

SHA512
3e3ca876602c2a447d011458ffe95b09100c69710b5b2fdbe3e36555ecc1ebe1ab6c34422cbf4a1fd3d7ce6e64721becd0fcf02e0e6a40bb75a5c2fed96affb6

Download Submit
memory/2104-64-0x0000000003880000-0x00000000038E4000-memory.dmp

Filesize
400KB

Download
memory/2104-65-0x0000000003880000-0x00000000038E4000-memory.dmp

Filesize
400KB

Download
memory/2104-37-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-36-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-72-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-71-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-70-0x0000000003880000-0x00000000038E4000-memory.dmp

Filesize
400KB

Download
memory/2104-50-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-52-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-51-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-53-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-54-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-57-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-58-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-62-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-68-0x0000000003880000-0x00000000038E4000-memory.dmp

Filesize
400KB

Download
memory/2104-38-0x0000000003160000-0x00000000031C9000-memory.dmp

Filesize
420KB

Download
memory/2104-67-0x0000000003880000-0x00000000038E4000-memory.dmp

Filesize
400KB

Download
memory/2104-66-0x0000000003880000-0x00000000038E4000-memory.dmp

Filesize
400KB

Download
memory/2104-69-0x0000000003880000-0x00000000038E4000-memory.dmp

Filesize
400KB

Download
memory/3412-0-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download
memory/3412-49-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download
memory/3412-2-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download
memory/3412-3-0x0000000180000000-0x0000000180794000-memory.dmp

Filesize
7.6MB

Download