Overview

overview

10

Static

static

10

PandorahVN...ed.rar

windows11-21h2-x64

10

Resubmissions

04/03/2025, 22:10

250304-13blxssvex 10

04/03/2025, 22:03

250304-1yc9yssshx 10

Analysis

  • max time kernel
    415s
  • max time network
    416s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04/03/2025, 22:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PandorahVNC 1.8.6 Fixed.rar

  • Size

    26.2MB

  • MD5

    93e38c285d4703b75890c99dd30f72cb

  • SHA1

    77e353c82b805d1d55fdb16a4c559e876ff9d3e6

  • SHA256

    04a15dcd45994e3181c002ecb3a5b6cb203b5dc05d634fe4cb015f76a4a006fd

  • SHA512

    8253b0147cad4a3f7722d51294c99b1cc5391abb6a183e406d53eccc17099a5a5dadd4efe9bc6df452d5d463001416090f96950d578d64614de93ec871899ff2

  • SSDEEP

    786432:5I8Am1JqFB9q+8wxzMZLRZ3MojlU7azLlCNRu0qvYyCifjoPq7:zd0ZUZc6U7azLAKbYyC0MPq7

Score
10/10
arrowrat#groupname#clientdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

#GroupName#

C2

#IP#:#PORT#

Mutex

#Mutex#

Extracted

Family

arrowrat

Botnet

Client

C2

80.76.49.15:1112

127.0.0.1:1337
Mutex

System

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Arrowrat family
    arrowrat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 24 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 25 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 60 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PandorahVNC 1.8.6 Fixed.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3504
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\system32\Taskmgr.exe
      taskmgr
      2⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2460
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:3076
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3044
    • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe
      "C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed
        2⤵
        • System Location Discovery: System Language Discovery
        PID:460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1464
        2⤵
        • Program crash
        PID:4008
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Client.exe
        "C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Client.exe"
        2⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\explorer.exe
          "C:\Windows\explorer.exe"
          3⤵
          • Boot or Logon Autostart Execution: Active Setup
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:420
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 127.0.0.1 1337 SXhcTxoLX
          3⤵
            PID:3564
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 127.0.0.1 1337 SXhcTxoLX
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2800
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c C:/Program Files (x86)/MSBuild/Microsoft/Windows Workflow Foundation/v3.0/Workflow.Targets
              4⤵
              • System Location Discovery: System Language Discovery
              PID:780
          • C:\Windows\System32\ComputerDefaults.exe
            "C:\Windows\System32\ComputerDefaults.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2536
            • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
              "PowerShell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Pan\dora'
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1200
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4108
      • C:\Windows\system32\BackgroundTransferHost.exe
        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
        1⤵
        • Modifies registry class
        PID:796
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2028 -ip 2028
        1⤵
          PID:3544

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\3a6e2108-2c69-4177-80a2-4e21aa50f94a.down_data
          Filesize

          555KB

          MD5

          5683c0028832cae4ef93ca39c8ac5029

          SHA1

          248755e4e1db552e0b6f8651b04ca6d1b31a86fb

          SHA256

          855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

          SHA512

          aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_20bbzboi.p1v.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\AsmResolver.DotNet.dll
          Filesize

          482KB

          MD5

          6b6109d97c2c08e06e4fcf80d24b4dce

          SHA1

          a811ec710fcbb6d43b35f5a943c58258bee43d7d

          SHA256

          f066cdd5dcd0eb2ca082ad30b1240bdc4d9c76ef80caf81651a827238e79b226

          SHA512

          408a929c1c5cc0825a28dd7c129898c5b762b701fe46a0ca395c16cecf54f41b4f9b9155fbb41f0c591f4d22889a43b7d2e4c33d13314420e68366552f609cc6

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.File.dll
          Filesize

          40KB

          MD5

          71437beaf0306a777814de1c56234842

          SHA1

          f8b1a61a07ab07c8565988b04f614aa77f28b456

          SHA256

          514078545cb23a0841785378d3e9fdff31d0a214e80513d630b7b95243b4d464

          SHA512

          7666bdb81250b8e212fe890919e2b6765ba0ae2c547192614419c3d2f066f0db63d252dab044bd72d549a638e41c7775d7efb1c7c2cd071e02ae344f789644de

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\AsmResolver.PE.dll
          Filesize

          304KB

          MD5

          a8a09cdbacc2aaff5eba75c0f7e22635

          SHA1

          571facc8b653745f08bd62511106d648fa6875e4

          SHA256

          dfb80e5bc73b640c20d930f9ace66bd55476ea34f1027331ff6d8df0c10fbc3e

          SHA512

          30a33556d56acbc5e8b1ef50b3922f8624255ec95c25831e8c064efdc2e5696b5026273303213d943983136422ee500e7d2d6b0f55515ff6f5de5e1268809e30

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\AsmResolver.dll
          Filesize

          57KB

          MD5

          5bedce9a21e6c1177630d5109bd5a18a

          SHA1

          2f34c95cb011eefb0819ad7f42da86fe239b0739

          SHA256

          05dffab67a19f7925b13b3d68e6e8c72015ff920664c5e26a3d18fe2b10f9c47

          SHA512

          2c2a8a4925174ca5ac4b42434f9d7cd82d7c3a95fafd242f3435c13114a98daf4f15b1ec8c48be74341f70d800c80072f85ecec4b193e06ba379dfc0a6f02958

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Client.exe
          Filesize

          158KB

          MD5

          0234362ccf92b3341d400e67b5221c6f

          SHA1

          53d5032fc48c475cdd9b346d949ddb2378682a6b

          SHA256

          fb31c1d2d463e4cc59500eee0c5273cee808ec259c7e9a7b3bdab1ee4fbd223b

          SHA512

          44d597c74fc6d6285a1eaa5702ca450db159724e5f16845ed42430b6285f868c3a585835c3c0bb5503ffe8a03351aa2162b831309d469229f22edbb3a4af018c

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Client.exe
          Filesize

          158KB

          MD5

          bee5bc891f486441b88a2d4d46018d1f

          SHA1

          27bf1e66e14d42a474f1fce24b0f6a32ffbad181

          SHA256

          4724262a218785b5de1495fe907747009464fd24f1a8d0ace373cb88e944ea69

          SHA512

          70cc85ae57a0ce9d5bc3712440f414dfea56c27ebf8a70f8e7f7746f61bba4143f9c908b2056f3cee874b4774ec3a0032a38b597bbee965989bf0d5a737818de

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.Data.Desktop.v21.2.dll
          Filesize

          675KB

          MD5

          6674898c963081e76c7168d45b1a57cd

          SHA1

          97717ef70d9bdde1568cf544fb3b2402321c1b25

          SHA256

          d769d543d9166e40bca4decf4b5ee758b4b652064790879780cc1521571763b2

          SHA512

          32021dd7e2595e2fac0bc6e6a4502d67543266714415888c267168c8ed34612a57a30ed0b07cf7cc78339626220c5d2a8770f5aeaaffd3367433046593500242

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.Data.v21.2.dll
          Filesize

          5.1MB

          MD5

          ba67d6f97a1602d7851e13811f34b257

          SHA1

          5a40175c27510f1bb59f32f3fea37ff1ff5e2414

          SHA256

          4f6510675493bbbc8e0870245247c0219456b51d0044237c4c861a67834a337e

          SHA512

          57b22c6a1425e8b0e637bdc15994902e5623d1921a6a2a0bad00dec1e2f97911d9904fac0c06c3bd3ec3cf9523e263cd2e8e12fd8748f66f867ebc3dce85c22a

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.Images.v21.2.dll
          Filesize

          8.4MB

          MD5

          c07b9a2acb2fe2de46111a6bec58235b

          SHA1

          10bd800c2030c58f52426c9082d9a65da866382b

          SHA256

          f2b08561e75721f5f598bf06ad6965b6c079f81d3a73f35fd7c1fa5b03ae7ee7

          SHA512

          3bbb89629f7906c0fb6d1219425fc8359b926b0bde8a470915109f3581f8cbf564644608a1610ec27fd1f782bad86891b4bc64e1b12b84b329f94258c3d1a1b0

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.Utils.v21.2.dll
          Filesize

          17.7MB

          MD5

          9ce1f7fb40d7c257536b6eefbaf50fdb

          SHA1

          022664d1870fec449fa0fc69abc854e4ac8bf165

          SHA256

          6e28b52f542833d5aeacee111ebcbb35af5ab080ef542172a9dc9f0f1004da44

          SHA512

          14deb1593111ca6a67c41abb60ee2105286dfce34ab525d6d57b9233f083dfdd3b1a8865d5515ac23fe0f401d85dbe973e020fef015e7adb3efda8f8ab9fe572

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.XtraBars.v21.2.dll
          Filesize

          6.5MB

          MD5

          73b7ae515035721d1b30d3ad00628be0

          SHA1

          dce18955cd395858cace1ce58a29abc4fbb805de

          SHA256

          9f788e7aa3f1a2be7f02419a8fd74114e5e2a7bb134810aa6cf762cbc91c1a56

          SHA512

          4c018f1bbf3eb947410d4910208b050b60e722854066e970e9963fc79ca17fc26e64d2f3b7555657576950d036623b0d6c67a78a009feda02d4c30eeb114d1dc

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.XtraEditors.v21.2.dll
          Filesize

          7.5MB

          MD5

          e6bdc7adbfa92810e66497d3561c5e2b

          SHA1

          c9379603d4fcfad4e1874f956247428f27e5ce79

          SHA256

          19d4e54a19fc830f8f4b6911fe76d74400fe23798a40b5941114437462b90ca9

          SHA512

          5c9d19b6e4521386162de18004103cc4ad9e2fea91ac4434f8c125cdb5b35335e9659fd19f5507b849a768f96154db90869db336aa76d9b9e760e254f01c7dfc

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.XtraGrid.v21.2.dll
          Filesize

          3.6MB

          MD5

          f65ebb9d378cf034eb5d8d0742ca95d1

          SHA1

          ad883ba15f66287c749239fbec20bf4fef91b0f9

          SHA256

          35674b0093a4134505ff3cf40c3b07ab428c152f7ba41f93dd1775b6013b87c2

          SHA512

          ac347de3933f3a3214a33a593ad2f963d6427b69685332982707002296b595707595a6e5e3662f44447f6247fdddb0298479d600a2672ed1dcbb50a520467609

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\DevExpress.XtraLayout.v21.2.dll
          Filesize

          2.0MB

          MD5

          012422aff6771f7be353109f08bf4684

          SHA1

          535a3054abf0ef1f6c2a220bd9741962c8e58dbe

          SHA256

          dc2e06f341325a7c65c121e443d0ca3dd0a1ea5ee5ed21ae51029303394de00f

          SHA512

          a3ca2f8d991a3823b58f81bfa5c08b7c44a985d029d8838ac501a08bef3cb90ceee3fdbb0e6d2b66544061b05e8fe3563d3868b0d3266b3b280cc39e0b2f5c1b

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Pandorah v1.4.exe
          Filesize

          5.1MB

          MD5

          3fe52ef1496671741e0cfb8be67100f8

          SHA1

          68152d06cd2076764b44f9892a8c2031ff988845

          SHA256

          9ace7f9e68924f030786b62f855da4fdaa88cd06795805afb7d8ea8f23dd2d76

          SHA512

          b3edbce17ac9736fbb5de58081b161cf34b147b1843be947d03f6e296e47e7b0b14d35630ae78e3f88567f8c582966fae6774838ab8ab137acc4a66e68f887f3

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe
          Filesize

          5.0MB

          MD5

          f1984279714a111cb603f71457042255

          SHA1

          d7b0b12dba09db0bfa318a2d62a1ac6781313112

          SHA256

          e6986e80395ec6fb4fc2450dd4de5ea81ba8d489a1464a1108a98f6541967af6

          SHA512

          5f2aee19063150d540477fa920677cafac2304bbe5febbde0e0e0a299da437fa7a7eae0629f36e6cbe3cf456c686195b3acfac34a4a079c20ae9eacff9fdf33f

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\PandorahVNC.exe.config
          Filesize

          3KB

          MD5

          a1c2a2870001b66db41bcb020bff1c2d

          SHA1

          8c54c6a3564c8892aa9baa15573682e64f3659d9

          SHA256

          0aa9e3ab5c88c5761120206eff5c6e35c90288290b3647a942059705ef5b75e5

          SHA512

          b3bf53120203cfaa951f301b532849cb382d2404c9503916bc1ca39925a9a1530b01045f341fc75d47d65130d0187dcbbf4288b9ef46aa81624b59ba7802794b

          Download Submit

        • C:\Users\Admin\Desktop\PandorahVNC 1.8.6 Fixed\Stub.bin
          Filesize

          158KB

          MD5

          52cf7937369803694284f5047c3ec1c5

          SHA1

          fae5a134b78e52e7dfd46b8bd04c01e1b044b709

          SHA256

          3b2ab6f350d355c4457c0e0e7cdf43f58d71259c7ca243caf75fcee5bf265a6d

          SHA512

          fcefb2e3bc3a51c4c94093da253231d05364084bb533ed64eb9c406e30ec9fedba9d665c4fa27c2965a7cbda82ced6a672f6b926d626d49e01ef7ed4be591efa

          Download Submit

        • memory/1200-159-0x0000018FA9010000-0x0000018FA9032000-memory.dmp

          Filesize

          136KB

          Download

        • memory/2028-104-0x000000000C6F0000-0x000000000CA84000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/2028-74-0x0000000000930000-0x0000000000E3C000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/2028-93-0x0000000006760000-0x0000000006810000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2028-94-0x0000000007630000-0x000000000763A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2028-95-0x000000000B940000-0x000000000B96E000-memory.dmp

          Filesize

          184KB

          Download

        • memory/2028-96-0x000000000B9B0000-0x000000000B9E8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2028-85-0x0000000006A00000-0x0000000006F22000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/2028-100-0x000000000C070000-0x000000000C6EC000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2028-81-0x0000000005D80000-0x0000000005E12000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2028-170-0x000000000FFA0000-0x0000000010804000-memory.dmp

          Filesize

          8.4MB

          Download

        • memory/2028-105-0x0000000008BE0000-0x0000000008C00000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2028-80-0x00000000076A0000-0x0000000008864000-memory.dmp

          Filesize

          17.8MB

          Download

        • memory/2028-110-0x000000000CCA0000-0x000000000CEAE000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2028-111-0x000000000CEB0000-0x000000000D207000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/2028-112-0x000000000DA10000-0x000000000DABA000-memory.dmp

          Filesize

          680KB

          Download

        • memory/2028-76-0x0000000005F20000-0x00000000064C6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2028-114-0x00000000017F0000-0x000000000188C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2028-75-0x0000000005800000-0x0000000005812000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2028-118-0x000000000D210000-0x000000000D28E000-memory.dmp

          Filesize

          504KB

          Download

        • memory/2028-89-0x0000000009000000-0x0000000009788000-memory.dmp

          Filesize

          7.5MB

          Download

        • memory/2028-119-0x00000000017D0000-0x00000000017EA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2028-133-0x0000000005900000-0x0000000005908000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2028-127-0x0000000001900000-0x0000000001914000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2028-123-0x0000000005A10000-0x0000000005A62000-memory.dmp

          Filesize

          328KB

          Download

        • memory/2028-131-0x00000000018E0000-0x00000000018F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2460-11-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-1-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-6-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-9-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-10-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-2-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-0-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-12-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-7-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2460-8-0x000001C623030000-0x000001C623031000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2800-139-0x0000000000400000-0x0000000000418000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2800-144-0x00000000069A0000-0x00000000069F0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2800-141-0x00000000067E0000-0x0000000006846000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3676-138-0x0000020697A10000-0x0000020697A3E000-memory.dmp

          Filesize

          184KB

          Download