sectoprat | 645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 09:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

saleforce_offline_installer.exe
Size

8.9MB
MD5

aa1ec7571a7e45ee718fd35136abb2cc
SHA1

354b52630cd08560aefe7b78efe5e0c0e9cc12a5
SHA256

645e557e03904aca48c1e0467a94de924a8359b6e5a98354a6e44aa2abeba84a
SHA512

c00bce637b1d2f5e28d34da816b0d0d3f1d81cc9fe59c953514b65c70c0e3f8b79c9677d4b928447b14829f884e8524b7966df5fd9d6d18bb87e580026e909c7
SSDEEP

196608:9hjidJFvglcIAtzyRxJugLjygdnyYQ8X+uPOStz73vK:9QdJ1glxAFyRFjycnJnPt73vK

Score

10^/10

sectoprat discovery execution rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4304-190-0x0000000001140000-0x0000000001204000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	saleforce_offline_installer.tmp

Executes dropped EXE 3 IoCs

pid	Process
1016	saleforce_offline_installer.tmp
3136	ISDbg.exe
2916	ISDbg.exe

Loads dropped DLL 12 IoCs

pid	Process
3136	ISDbg.exe
3136	ISDbg.exe
3136	ISDbg.exe
3136	ISDbg.exe
3136	ISDbg.exe
3136	ISDbg.exe
2916	ISDbg.exe
2916	ISDbg.exe
2916	ISDbg.exe
2916	ISDbg.exe
2916	ISDbg.exe
2916	ISDbg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	pastebin.com
55	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 3744	2916	ISDbg.exe	103
PID 3744 set thread context of 4304	3744	cmd.exe	106

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\salesforce.com\OfficeToolkit\3.0\is-M4TDP.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\bin\is-9DKPL.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\bin\is-NQCG7.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\bin\is-O2P99.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-LLDQQ.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-ILTQC.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-6NTLF.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\conf\is-L8GFR.tmp	saleforce_offline_installer.tmp
File opened for modification	C:\Program Files (x86)\salesforce.com\unins000.dat	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\unins000.dat	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-EJMSU.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-VG9SR.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\res\is-710UU.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\res\is-82BJG.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\is-P41M1.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\3rd Party\is-7CL2H.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\common\is-AST8A.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\3rd Party\is-VTSRC.tmp	saleforce_offline_installer.tmp
File created	C:\Program Files (x86)\salesforce.com\Offline2\res\is-DT9HL.tmp	saleforce_offline_installer.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1252	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saleforce_offline_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saleforce_offline_installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISDbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISDbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1252	powershell.exe
1252	powershell.exe
2916	ISDbg.exe
3744	cmd.exe
3744	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2916	ISDbg.exe
3744	cmd.exe
3744	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	4304	MSBuild.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1016	saleforce_offline_installer.tmp

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1016	3140	saleforce_offline_installer.exe	87
PID 3140 wrote to memory of 1016	3140	saleforce_offline_installer.exe	87
PID 3140 wrote to memory of 1016	3140	saleforce_offline_installer.exe	87
PID 1016 wrote to memory of 1252	1016	saleforce_offline_installer.tmp	97
PID 1016 wrote to memory of 1252	1016	saleforce_offline_installer.tmp	97
PID 1016 wrote to memory of 1252	1016	saleforce_offline_installer.tmp	97
PID 1252 wrote to memory of 3136	1252	powershell.exe	101
PID 1252 wrote to memory of 3136	1252	powershell.exe	101
PID 1252 wrote to memory of 3136	1252	powershell.exe	101
PID 3136 wrote to memory of 2916	3136	ISDbg.exe	102
PID 3136 wrote to memory of 2916	3136	ISDbg.exe	102
PID 3136 wrote to memory of 2916	3136	ISDbg.exe	102
PID 2916 wrote to memory of 3744	2916	ISDbg.exe	103
PID 2916 wrote to memory of 3744	2916	ISDbg.exe	103
PID 2916 wrote to memory of 3744	2916	ISDbg.exe	103
PID 2916 wrote to memory of 3744	2916	ISDbg.exe	103
PID 3744 wrote to memory of 4304	3744	cmd.exe	106
PID 3744 wrote to memory of 4304	3744	cmd.exe	106
PID 3744 wrote to memory of 4304	3744	cmd.exe	106
PID 3744 wrote to memory of 4304	3744	cmd.exe	106
PID 3744 wrote to memory of 4304	3744	cmd.exe	106

C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe
"C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\is-THLAF.tmp\saleforce_offline_installer.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-THLAF.tmp\saleforce_offline_installer.tmp" /SL5="$70052,1997786,793600,C:\Users\Admin\AppData\Local\Temp\saleforce_offline_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-7JV1C.tmp\Content.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Users\Admin\AppData\Roaming\A9sQ\ISDbg.exe
      "C:\Users\Admin\AppData\Roaming\A9sQ\ISDbg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Users\Admin\AppData\Roaming\vkt_secure\ISDbg.exe
        
        C:\Users\Admin\AppData\Roaming\vkt_secure\ISDbg.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\561d36df

Filesize
1.4MB

MD5
106ee03715f5b36e0923e5630eff2071

SHA1
75cf14953ac4d084116ac8badf506e2b67762e99

SHA256
e03eb5505d861412e5a7066b7f387670c805370591fae80c9a404d9b7d624c12

SHA512
39d207441e773da68227d7a78ac2ecb26d8810d08850b8e1088ab10153158a39884bc2b886f78ca8d2c6137ff5a966d2b686a0a63dd93560e14f1226e35c9ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hcqe5hm.rvz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7JV1C.tmp\Content.ps1

Filesize
7.7MB

MD5
e9b8abe35cac28d8b49782c5c8eceac9

SHA1
b01460a1d72b4cf02460a4756431f0c048e44b52

SHA256
efd04c82dd0838cf7cb22ac8081bc0dafcf8bc34e778795a7ca608a9ab02148b

SHA512
8ed1be382d9e4d624e524640739aa67ae7aa4c14c52f30a87d88b82c30bdf580560f1736e009583318b056a719f8040bc9774d9342e9eebc9798e811c8733b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-THLAF.tmp\saleforce_offline_installer.tmp

Filesize
3.3MB

MD5
1fe979e33257ace3388bc7e809e24379

SHA1
b3971ba1930fa75335d82c72e19939bbbad8a342

SHA256
7b7aaf4dd5e9bb0a3e18a1d948e5283953122da43ea6a42244d3550ffffac3a0

SHA512
7533a960dfb56977955ac2d0521ef5ba8642ec0e6f1a3e18c0e19c75498a113bbd2f4dc97b56250d98aac53cc27176b912afc8435bf0792e91007e913a993135

Download Submit
C:\Users\Admin\AppData\Roaming\A9sQ\FNP_Act_Installer.dll

Filesize
3.2MB

MD5
818abbbd3717505c01e4e8277406af8f

SHA1
4374b855c5a37e89daa37791d1a4f2c635bf66e7

SHA256
bc0acdfb672ad01ad3b658ee51e2ee6523d56ea4bc4c066b390cf9b494e2aa69

SHA512
7c73ec9b15e82964573db1b7d3996677b244b6efa64cab60cefff6d995d3ea3e6e89c1578c5b5a266b964a19336ce5b956a4a4f37be12b4907dbee827b6613b9

Download Submit
C:\Users\Admin\AppData\Roaming\A9sQ\ISDbg.exe

Filesize
3.6MB

MD5
7ca79f128adaf85ba662d15af223acac

SHA1
af6d8587efe0fa22b38e623b0358e4636ac7ea65

SHA256
af2f747f6daa4b949ee7e418e36aee0e40de8abd3cbd4dccc26105dbfa8211d6

SHA512
3ac8fd62d6f4143d0704233664d19271f00bc9322239975d3403272cb9f2b4836d8329431507543f973deb353ddb80ea26befe6217a400d3c6fb5e43bc7652fd

Download Submit
C:\Users\Admin\AppData\Roaming\A9sQ\ISUIServices.dll

Filesize
7.1MB

MD5
a7339e5a1ffc622095a0320d21cb0cf6

SHA1
32151c80dc4c6008d07fb607e9f17251fd4082d4

SHA256
f9a203f8dc6eca92b47c5cff489baadcefad93af234773e7c2a71c8744e3625f

SHA512
5f7158ae048e04f641adc94341638d262863ae6cf7d004dc0a8385b05e910349546aca45cbb8db598ba2e75784b9834e9ddbc312555cfb041ee6a08c10a34d39

Download Submit
C:\Users\Admin\AppData\Roaming\A9sQ\MSIMG32.dll

Filesize
3KB

MD5
ae2fb3295fd4bee1e651b7b6639d7bfe

SHA1
4ac939d67002aabccf7a5878302a37b8079dda12

SHA256
c1f88d099af72cae6f6baaf7473da78279dc50b112f7fb68f93b5c3f29051c45

SHA512
90c2adc288547a2fec7bf6865b1341f2708ecf1e9ca78e0e440de008c5b032192998a42de0359f267e51d7ed8ee6a8e3ecc007d002d394cc5629cb81d94e9db9

Download Submit
C:\Users\Admin\AppData\Roaming\A9sQ\MSVCP140.dll

Filesize
437KB

MD5
dc739066c9d0ca961cba2f320cade28e

SHA1
81ed5f7861e748b90c7ae2d18da80d1409d1fa05

SHA256
74e9268a68118bb1ac5154f8f327887715960ccc37ba9dabbe31ecd82dcbaa55

SHA512
4eb181984d989156b8703fd8bb8963d7a5a3b7f981fe747c6992993b7a1395a21f45dbedf08c1483d523e772bdf41330753e1771243b53da36d2539c01171cf1

Download Submit
C:\Users\Admin\AppData\Roaming\A9sQ\VCRUNTIME140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
C:\Users\Admin\AppData\Roaming\A9sQ\bacteroid.yml

Filesize
1.2MB

MD5
0d797316bd487c5e3fc756a2bb9c661f

SHA1
ddda0ea9bf18ab2f0354dc9e48bf80a67f027758

SHA256
55968c420227a244c2fb0c2642c560ab8b76839ef9df31ced94f2be3c260ddbf

SHA512
573c56acd1d09f9358dc9e6172c64f19ffde40ef6f2a61a349a43065134a545f31e75b81ea4e41480a33b0e083887c403229fa67d89255634afd975fc113e609

Download Submit
memory/1016-158-0x0000000000460000-0x00000000007B7000-memory.dmp

Filesize
3.3MB

Download
memory/1016-148-0x0000000000460000-0x00000000007B7000-memory.dmp

Filesize
3.3MB

Download
memory/1016-14-0x0000000000460000-0x00000000007B7000-memory.dmp

Filesize
3.3MB

Download
memory/1016-12-0x0000000000460000-0x00000000007B7000-memory.dmp

Filesize
3.3MB

Download
memory/1016-9-0x0000000000460000-0x00000000007B7000-memory.dmp

Filesize
3.3MB

Download
memory/1016-10-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1016-6-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1252-59-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/1252-132-0x0000000072AEE000-0x0000000072AEF000-memory.dmp

Filesize
4KB

Download
memory/1252-70-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/1252-73-0x000000000C640000-0x000000000C6D6000-memory.dmp

Filesize
600KB

Download
memory/1252-74-0x0000000006890000-0x00000000068AA000-memory.dmp

Filesize
104KB

Download
memory/1252-75-0x00000000068F0000-0x0000000006912000-memory.dmp

Filesize
136KB

Download
memory/1252-76-0x000000000CC90000-0x000000000D234000-memory.dmp

Filesize
5.6MB

Download
memory/1252-78-0x000000000C730000-0x000000000C762000-memory.dmp

Filesize
200KB

Download
memory/1252-81-0x000000006F4E0000-0x000000006F834000-memory.dmp

Filesize
3.3MB

Download
memory/1252-80-0x0000000072AE0000-0x0000000073290000-memory.dmp

Filesize
7.7MB

Download
memory/1252-91-0x000000000C770000-0x000000000C78E000-memory.dmp

Filesize
120KB

Download
memory/1252-92-0x0000000072AE0000-0x0000000073290000-memory.dmp

Filesize
7.7MB

Download
memory/1252-93-0x000000000C7A0000-0x000000000C843000-memory.dmp

Filesize
652KB

Download
memory/1252-79-0x000000006F370000-0x000000006F3BC000-memory.dmp

Filesize
304KB

Download
memory/1252-94-0x000000000D8C0000-0x000000000DF3A000-memory.dmp

Filesize
6.5MB

Download
memory/1252-95-0x000000000C930000-0x000000000C93A000-memory.dmp

Filesize
40KB

Download
memory/1252-96-0x0000000072AE0000-0x0000000073290000-memory.dmp

Filesize
7.7MB

Download
memory/1252-97-0x000000000CAA0000-0x000000000CAB1000-memory.dmp

Filesize
68KB

Download
memory/1252-98-0x0000000072AE0000-0x0000000073290000-memory.dmp

Filesize
7.7MB

Download
memory/1252-99-0x000000000CAF0000-0x000000000CB02000-memory.dmp

Filesize
72KB

Download
memory/1252-100-0x000000000CAD0000-0x000000000CADA000-memory.dmp

Filesize
40KB

Download
memory/1252-69-0x0000000005D30000-0x0000000006084000-memory.dmp

Filesize
3.3MB

Download
memory/1252-53-0x0000000072AEE000-0x0000000072AEF000-memory.dmp

Filesize
4KB

Download
memory/1252-58-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/1252-133-0x0000000072AE0000-0x0000000073290000-memory.dmp

Filesize
7.7MB

Download
memory/1252-71-0x0000000006370000-0x00000000063BC000-memory.dmp

Filesize
304KB

Download
memory/1252-54-0x0000000002A00000-0x0000000002A36000-memory.dmp

Filesize
216KB

Download
memory/1252-57-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/1252-56-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/1252-55-0x0000000072AE0000-0x0000000073290000-memory.dmp

Filesize
7.7MB

Download
memory/2916-168-0x0000000002610000-0x0000000002D3A000-memory.dmp

Filesize
7.2MB

Download
memory/2916-180-0x0000000074290000-0x000000007440B000-memory.dmp

Filesize
1.5MB

Download
memory/2916-178-0x0000000074290000-0x000000007440B000-memory.dmp

Filesize
1.5MB

Download
memory/2916-179-0x00007FF8A4350000-0x00007FF8A4545000-memory.dmp

Filesize
2.0MB

Download
memory/3136-146-0x0000000073220000-0x000000007339B000-memory.dmp

Filesize
1.5MB

Download
memory/3136-150-0x00007FF8A4350000-0x00007FF8A4545000-memory.dmp

Filesize
2.0MB

Download
memory/3136-136-0x0000000002E30000-0x000000000355A000-memory.dmp

Filesize
7.2MB

Download
memory/3140-165-0x0000000000E00000-0x0000000000ED0000-memory.dmp

Filesize
832KB

Download
memory/3140-8-0x0000000000E00000-0x0000000000ED0000-memory.dmp

Filesize
832KB

Download
memory/3140-0-0x0000000000E00000-0x0000000000ED0000-memory.dmp

Filesize
832KB

Download
memory/3140-2-0x0000000000E01000-0x0000000000EA9000-memory.dmp

Filesize
672KB

Download
memory/3744-183-0x00007FF8A4350000-0x00007FF8A4545000-memory.dmp

Filesize
2.0MB

Download
memory/3744-185-0x0000000074290000-0x000000007440B000-memory.dmp

Filesize
1.5MB

Download
memory/4304-187-0x0000000072D60000-0x0000000073FB4000-memory.dmp

Filesize
18.3MB

Download
memory/4304-190-0x0000000001140000-0x0000000001204000-memory.dmp

Filesize
784KB

Download
memory/4304-191-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4304-192-0x00000000059A0000-0x0000000005B62000-memory.dmp

Filesize
1.8MB

Download
memory/4304-193-0x0000000005820000-0x0000000005896000-memory.dmp

Filesize
472KB

Download
memory/4304-194-0x00000000057A0000-0x00000000057F0000-memory.dmp

Filesize
320KB

Download