sectoprat | d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c

Analysis

max time kernel
135s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a91b4875630c4f702ab63f94ed633da4.exe
Size

83.6MB
MD5

a91b4875630c4f702ab63f94ed633da4
SHA1

d485e90a501aa11f89f684063e5fbe235937f0bf
SHA256

d864a359e3a19182e72109fe75408d21b10215938e8be4098c4dbbc8ce0b7c7c
SHA512

43e4a19efcb814ae3b418177679fb52d257fd9046b6ac4baaea2fdfecb8627bc80ecdfc8288139d669e639c748f63c043d5b6997147b580d64bab3518524b460
SSDEEP

1572864:ZyM8TruaFhFBQ4aidylq1RFVKl8J/1BbAYqnmy2QPz2Pt0BQGRClJygc:ZyMAeiTFny2ezE0QGiJygc

Score

10^/10

sectoprat discovery execution rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1964-265-0x0000000001300000-0x00000000013C6000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	a91b4875630c4f702ab63f94ed633da4.tmp

Executes dropped EXE 2 IoCs

pid	Process
3480	a91b4875630c4f702ab63f94ed633da4.tmp
3960	dobi.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3960 set thread context of 3388	3960	dobi.exe	104
PID 3388 set thread context of 1964	3388	more.com	111

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Canva\is-565GF.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-U7R4V.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-LV6CL.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-S41GL.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-TEOMG.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-2ALDS.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-THJ48.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-KU0Q5.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-4GDUV.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-DIMPG.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-A45AH.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-6B79I.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-1SBQ1.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-ORV29.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-T23J9.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-OMBQL.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-9K599.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File opened for modification	C:\Program Files (x86)\Canva\unins000.dat	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-77E7M.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-6OH2R.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-C3EGO.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-JEQUL.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-5L8P1.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-V9BD9.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-LM8UI.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-H0JN4.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-9NBN3.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-AHOEF.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\resources\is-19MAV.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-TH3P1.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-ATDRV.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\unins000.dat	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-O7LRP.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-7ATF8.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-EDK45.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-SARC0.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-7ABI9.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-PP2IA.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-0UK4N.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-HA640.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-EO0IR.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-TKU42.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-7D3U9.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-F3K3B.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-N98SO.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-9MSOL.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-36MQ7.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\resources\is-R6NFQ.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-RQJS9.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-QGCRV.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-SDO0K.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-J638B.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-SPJ9E.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-IRQHF.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-5LNP0.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\is-GG461.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-7FPB3.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-UTR97.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-MS9FS.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-TB9TP.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-JBVLF.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-KU0JV.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-SE05C.tmp	a91b4875630c4f702ab63f94ed633da4.tmp
File created	C:\Program Files (x86)\Canva\locales\is-QD68I.tmp	a91b4875630c4f702ab63f94ed633da4.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4744	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a91b4875630c4f702ab63f94ed633da4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a91b4875630c4f702ab63f94ed633da4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4744	powershell.exe
4744	powershell.exe
3960	dobi.exe
3960	dobi.exe
3388	more.com
3388	more.com
1964	MSBuild.exe
1964	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3960	dobi.exe
3388	more.com
3388	more.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	1964	MSBuild.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3480	a91b4875630c4f702ab63f94ed633da4.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	MSBuild.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3480	2536	a91b4875630c4f702ab63f94ed633da4.exe	83
PID 2536 wrote to memory of 3480	2536	a91b4875630c4f702ab63f94ed633da4.exe	83
PID 2536 wrote to memory of 3480	2536	a91b4875630c4f702ab63f94ed633da4.exe	83
PID 3480 wrote to memory of 4744	3480	a91b4875630c4f702ab63f94ed633da4.tmp	100
PID 3480 wrote to memory of 4744	3480	a91b4875630c4f702ab63f94ed633da4.tmp	100
PID 3480 wrote to memory of 4744	3480	a91b4875630c4f702ab63f94ed633da4.tmp	100
PID 4744 wrote to memory of 3960	4744	powershell.exe	103
PID 4744 wrote to memory of 3960	4744	powershell.exe	103
PID 3960 wrote to memory of 3388	3960	dobi.exe	104
PID 3960 wrote to memory of 3388	3960	dobi.exe	104
PID 3960 wrote to memory of 3388	3960	dobi.exe	104
PID 3960 wrote to memory of 3388	3960	dobi.exe	104
PID 3388 wrote to memory of 1964	3388	more.com	111
PID 3388 wrote to memory of 1964	3388	more.com	111
PID 3388 wrote to memory of 1964	3388	more.com	111
PID 3388 wrote to memory of 1964	3388	more.com	111
PID 3388 wrote to memory of 1964	3388	more.com	111

C:\Users\Admin\AppData\Local\Temp\a91b4875630c4f702ab63f94ed633da4.exe
"C:\Users\Admin\AppData\Local\Temp\a91b4875630c4f702ab63f94ed633da4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\is-HEAFR.tmp\a91b4875630c4f702ab63f94ed633da4.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HEAFR.tmp\a91b4875630c4f702ab63f94ed633da4.tmp" /SL5="$5026E,81954756,1209856,C:\Users\Admin\AppData\Local\Temp\a91b4875630c4f702ab63f94ed633da4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-T854P.tmp\ExtractedContent.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Roaming\SystemUtil\dobi.exe
      "C:\Users\Admin\AppData\Roaming\SystemUtil\dobi.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\39ef2413

Filesize
1.6MB

MD5
9e31991a93a6c781884e89a8572f5ea0

SHA1
4b83364234b879525ce91bbaa5226e91749491ed

SHA256
ecb718af37ec5b9c8b6a1f5aa535df409cad971852b01da72dfa3950dd51693a

SHA512
1d8da914fe1f7a164696b52b4d1fab12bb4defe0e09c94f862edad3e2bd7727a5004df362280ca47b7cc8a1ca6c8d3ec39a6b4d90e77779ce609c35e004e436f

Download Submit
C:\Users\Admin\AppData\Local\Temp\47097541

Filesize
1.4MB

MD5
db824f0e0deb72ed65bc264a8ec9f71c

SHA1
1d0cecebffee9662102597fc5bf05ba83d4ddf5d

SHA256
d0e7d15d33044622ddb8acdb04bc01f69529f2caef03ed73cdf1e15fbbd70355

SHA512
d1db139db495668c89495cec3a7816535137317a062906dfe6bb8ae84df7ff5812bcee2b9c1933f24728997721eec636227a7102645b49321c690578f6cce73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnu2pebk.hy3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HEAFR.tmp\a91b4875630c4f702ab63f94ed633da4.tmp

Filesize
3.5MB

MD5
6ab2af20157d2f440e8b22982f6247c5

SHA1
53c0da8de2ee2c50b79913a876edcd7078897566

SHA256
c95f668ab97a0c6650381e0fc1a93aa043e3f899eef09dd7a3b0837a4298838e

SHA512
5ed8b96a65c44f7cab604440f21b5e2f331c38d2e7ca3ebb26a9c1750ae5e5690225ec0f6530e6c65589dc639fcbcbf9afa80e85881b6f731118d0089559cb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T854P.tmp\ExtractedContent.ps1

Filesize
5.5MB

MD5
f7e2624867775590018ce9586ac1d4a8

SHA1
6e2e80d1bde207734647b48d71dc483ff56a29a1

SHA256
0547b50b9070c88c19d054d1d2f084f72fe3717be07265af0ea4ce87ffd8ebc5

SHA512
fa8312dbac3b24f3d8d09576084f04e7289f2878bd5b4157328fc51259ca918a8874fa1e60b0f095634abe2f86a64941c74f702ffb52ed80c0310d8622297c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD213.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Roaming\SystemUtil\dobi.exe

Filesize
9.6MB

MD5
a439025e40533f6e78c74fe8e9ce9875

SHA1
6ae40c35d089fd05b521affda29c205effdf9928

SHA256
a15ddd90e6ad35fc8896d7d613d0d178bdc29a9353128e6b5b4e177abcb8195f

SHA512
a2e22c32a1b6c50cfef234a7fe9581df516d3b7129645d64ffb16652a4dc757294aa5ccdae2a3c1a530c71251abeeb73356ca4f6b33b73fdd7cac2161a16d84b

Download Submit
memory/1964-268-0x0000000005940000-0x00000000059B6000-memory.dmp

Filesize
472KB

Download
memory/1964-267-0x0000000005B10000-0x0000000005CD2000-memory.dmp

Filesize
1.8MB

Download
memory/1964-286-0x0000000005D40000-0x0000000005D7C000-memory.dmp

Filesize
240KB

Download
memory/1964-285-0x0000000005CE0000-0x0000000005CF2000-memory.dmp

Filesize
72KB

Download
memory/1964-284-0x0000000008170000-0x000000000817A000-memory.dmp

Filesize
40KB

Download
memory/1964-261-0x0000000074CF0000-0x0000000074D04000-memory.dmp

Filesize
80KB

Download
memory/1964-271-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/1964-270-0x0000000006A40000-0x0000000006F6C000-memory.dmp

Filesize
5.2MB

Download
memory/1964-265-0x0000000001300000-0x00000000013C6000-memory.dmp

Filesize
792KB

Download
memory/1964-266-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/1964-269-0x0000000005A10000-0x0000000005A60000-memory.dmp

Filesize
320KB

Download
memory/2536-0-0x0000000000630000-0x0000000000765000-memory.dmp

Filesize
1.2MB

Download
memory/2536-250-0x0000000000630000-0x0000000000765000-memory.dmp

Filesize
1.2MB

Download
memory/2536-8-0x0000000000630000-0x0000000000765000-memory.dmp

Filesize
1.2MB

Download
memory/2536-2-0x0000000000631000-0x00000000006D9000-memory.dmp

Filesize
672KB

Download
memory/3388-264-0x0000000003BC0000-0x0000000004173000-memory.dmp

Filesize
5.7MB

Download
memory/3388-259-0x0000000076000000-0x00000000765B3000-memory.dmp

Filesize
5.7MB

Download
memory/3388-256-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

Filesize
2.0MB

Download
memory/3388-258-0x0000000003BC0000-0x0000000004173000-memory.dmp

Filesize
5.7MB

Download
memory/3480-6-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3480-12-0x00000000006C0000-0x0000000000A54000-memory.dmp

Filesize
3.6MB

Download
memory/3480-199-0x00000000006C0000-0x0000000000A54000-memory.dmp

Filesize
3.6MB

Download
memory/3480-10-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3480-14-0x00000000006C0000-0x0000000000A54000-memory.dmp

Filesize
3.6MB

Download
memory/3480-249-0x00000000006C0000-0x0000000000A54000-memory.dmp

Filesize
3.6MB

Download
memory/3480-9-0x00000000006C0000-0x0000000000A54000-memory.dmp

Filesize
3.6MB

Download
memory/3960-252-0x00007FFAF6200000-0x00007FFAF693F000-memory.dmp

Filesize
7.2MB

Download
memory/3960-247-0x00007FFAF6200000-0x00007FFAF693F000-memory.dmp

Filesize
7.2MB

Download
memory/3960-239-0x0000000000550000-0x0000000000F1E000-memory.dmp

Filesize
9.8MB

Download
memory/4744-181-0x0000000004D00000-0x0000000004D66000-memory.dmp

Filesize
408KB

Download
memory/4744-222-0x0000000009370000-0x0000000009382000-memory.dmp

Filesize
72KB

Download
memory/4744-223-0x0000000008ED0000-0x0000000008EDA000-memory.dmp

Filesize
40KB

Download
memory/4744-221-0x0000000072DD0000-0x0000000073580000-memory.dmp

Filesize
7.7MB

Download
memory/4744-220-0x0000000009310000-0x0000000009321000-memory.dmp

Filesize
68KB

Download
memory/4744-240-0x0000000072DD0000-0x0000000073580000-memory.dmp

Filesize
7.7MB

Download
memory/4744-219-0x00000000091B0000-0x00000000091BA000-memory.dmp

Filesize
40KB

Download
memory/4744-218-0x000000000A0A0000-0x000000000A71A000-memory.dmp

Filesize
6.5MB

Download
memory/4744-217-0x0000000072DD0000-0x0000000073580000-memory.dmp

Filesize
7.7MB

Download
memory/4744-216-0x0000000009010000-0x00000000090B3000-memory.dmp

Filesize
652KB

Download
memory/4744-203-0x000000006F660000-0x000000006F6AC000-memory.dmp

Filesize
304KB

Download
memory/4744-205-0x000000006F7C0000-0x000000006FB14000-memory.dmp

Filesize
3.3MB

Download
memory/4744-215-0x0000000008FA0000-0x0000000008FBE000-memory.dmp

Filesize
120KB

Download
memory/4744-204-0x0000000072DD0000-0x0000000073580000-memory.dmp

Filesize
7.7MB

Download
memory/4744-202-0x0000000008FC0000-0x0000000008FF2000-memory.dmp

Filesize
200KB

Download
memory/4744-200-0x0000000009470000-0x0000000009A14000-memory.dmp

Filesize
5.6MB

Download
memory/4744-197-0x0000000006110000-0x000000000612A000-memory.dmp

Filesize
104KB

Download
memory/4744-198-0x0000000006170000-0x0000000006192000-memory.dmp

Filesize
136KB

Download
memory/4744-196-0x0000000008C10000-0x0000000008CA6000-memory.dmp

Filesize
600KB

Download
memory/4744-193-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

Filesize
304KB

Download
memory/4744-192-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

Filesize
120KB

Download
memory/4744-191-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-180-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/4744-179-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/4744-178-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/4744-177-0x0000000072DD0000-0x0000000073580000-memory.dmp

Filesize
7.7MB

Download
memory/4744-176-0x00000000022C0000-0x00000000022F6000-memory.dmp

Filesize
216KB

Download
memory/4744-175-0x0000000072DDE000-0x0000000072DDF000-memory.dmp

Filesize
4KB

Download