45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

Resubmissions

07-11-2020 21:55

201107-hpbkxklwmn 10

07-11-2020 21:28

201107-vkwbkzk1ej 10

Analysis

max time kernel
146s
max time network
137s
platform
windows10_x64
resource
win10v20201028
submitted
07-11-2020 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lsass.exe
Size

214KB
MD5

3a87a3c5abcdc92ef421700ac6f5d0d1
SHA1

70509f9eed0f90f62b804da75aa73b6a3f6390ec
SHA256

45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af
SHA512

f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3404 created 4052 3404 WerFault.exe explorer.exe

description	pid	process	target process
PID 3404 created 4052	3404	WerFault.exe	explorer.exe

ServiceHost packer 14 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/4052-15-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-14-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-16-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-17-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-23-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-24-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-26-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-25-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4052-27-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

4052 explorer.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

3708 notepad.exe

pid	process
3708	notepad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\explorer.exe\" -start"	lsass.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
File opened (read-only)	\??\E:	explorer.exe
File opened (read-only)	\??\Y:	explorer.exe
File opened (read-only)	\??\T:	explorer.exe
File opened (read-only)	\??\N:	explorer.exe
File opened (read-only)	\??\I:	explorer.exe
File opened (read-only)	\??\O:	explorer.exe
File opened (read-only)	\??\L:	explorer.exe
File opened (read-only)	\??\J:	explorer.exe
File opened (read-only)	\??\H:	explorer.exe
File opened (read-only)	\??\Z:	explorer.exe
File opened (read-only)	\??\U:	explorer.exe
File opened (read-only)	\??\S:	explorer.exe
File opened (read-only)	\??\P:	explorer.exe
File opened (read-only)	\??\Q:	explorer.exe
File opened (read-only)	\??\M:	explorer.exe
File opened (read-only)	\??\K:	explorer.exe
File opened (read-only)	\??\G:	explorer.exe
File opened (read-only)	\??\X:	explorer.exe
File opened (read-only)	\??\W:	explorer.exe
File opened (read-only)	\??\V:	explorer.exe
File opened (read-only)	\??\R:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\B:	explorer.exe
File opened (read-only)	\??\A:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 geoiptool.com
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3916 4052 WerFault.exe explorer.exe
3404 4052 WerFault.exe explorer.exe

flow	ioc
8	geoiptool.com

pid	pid_target	process	target process
3916	4052	WerFault.exe	explorer.exe
3404	4052	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lsass.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lsass.exe

Suspicious behavior: EnumeratesProcesses 848 IoCs

Processes:

explorer.exe

pid	process
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe
4052	explorer.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

lsass.exeWerFault.exeWerFault.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2484	lsass.exe
Token: SeDebugPrivilege	2484	lsass.exe
Token: SeRestorePrivilege	3916	WerFault.exe
Token: SeBackupPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	3916	WerFault.exe
Token: SeDebugPrivilege	3404	WerFault.exe
Token: SeDebugPrivilege	3344	taskmgr.exe
Token: SeSystemProfilePrivilege	3344	taskmgr.exe
Token: SeCreateGlobalPrivilege	3344	taskmgr.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

taskmgr.exe

pid	process
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

taskmgr.exe

pid	process
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe
3344	taskmgr.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

lsass.exe

description	pid	process	target process
PID 2484 wrote to memory of 4052	2484	lsass.exe	explorer.exe
PID 2484 wrote to memory of 4052	2484	lsass.exe	explorer.exe
PID 2484 wrote to memory of 4052	2484	lsass.exe	explorer.exe
PID 2484 wrote to memory of 3708	2484	lsass.exe	notepad.exe
PID 2484 wrote to memory of 3708	2484	lsass.exe	notepad.exe
PID 2484 wrote to memory of 3708	2484	lsass.exe	notepad.exe
PID 2484 wrote to memory of 3708	2484	lsass.exe	notepad.exe
PID 2484 wrote to memory of 3708	2484	lsass.exe	notepad.exe
PID 2484 wrote to memory of 3708	2484	lsass.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\lsass.exe
"C:\Users\Admin\AppData\Local\Temp\lsass.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" -start
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1780
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 1800
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\SysWOW64\notepad.exe
notepad.exe
2⤵
- Deletes itself
PID:3708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2236

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
e5be8c65934ad0c00c584026d085108e

SHA1
6ce4c8bc54630bf9f70d3fe93ce91bf44004439f

SHA256
68413df5f5923c0283167f5bf10bb7a65b1cdbea7602d263f64af49820efa315

SHA512
50470648453a249e3ec06572fd418a123bd0500291a8b3bc0c7cde453ac36e027130f49f01c17ab21034d6033abe1f81402166ee80460b0fcb56856f20db2539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
3208da0c038576623565b095fcea4ad1

SHA1
bc421f8eb4b9c6100aa444edece988c01dd63b26

SHA256
16ca708624c0f83871bbb8349e31fba20e5591f298ee91ddf08faf2919041f4b

SHA512
17fd810bdb400ce06167d6009a23cbdafdeb5eb0cb5c18456ec3a833546ad050429b003bdec753aa591d5b370cbb1290633abc1cc71f3ae29e81d58c56b8408c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3bf227caeee1b07d47b29873a1640f1a

SHA1
61af6e587db89d7d7f518bb1e16c2d73451e5ed6

SHA256
30becef61dd6dd9d8b0402aec82db12ebb3ef7b76d854ca1f8bd30fa50ab5980

SHA512
29a3663efa62ccc6dce4e083b7e43e80560de48ebc0eebfff5aed1fc158f0ed65a009589046773cb3c97588005219f45ae414c53f7bffe5a0a2ec80b0c2a903e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CB
MD5
65bf6594d95dd6390855b90b1dbe7996

SHA1
5ee9ac14e902068de265852e88c599dd5e9018d1

SHA256
5a6c3e078b44ec56677cc51be7363932d749263cc96c3a981c2c36e2d373b12d

SHA512
7506d63de159db90652bcd3db10900e5cda8bbb4e17f7b2f59e3de809f059142803d8146f3d0bafa26d24e8f1b76552577ceefff567e58a20e3fa1cfc53602a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_0673414C08DE7F919AE3F6C4CC65AEEE
MD5
e9c0b652bef494aa397b601ed0100410

SHA1
f9e619404ebe27122d7fa0c7f211994da659096e

SHA256
d91da219d0d454dbb67b624adcbc71a5dcccc2f1fc114f8a1af3d03f5edef38a

SHA512
d42a80d7d2c0c5756e4c4e06a56a6e795ca268140a51edef915db6f1909bc42ea29a136c3fb8d67d5fc1c1409019acf889e0256d25dbcdfa46e9e014233f50a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
0e094aa6e4c1942162e5ec20d7c1ee01

SHA1
2ef7913cc74540858daddfe437767b1a18e568cb

SHA256
22f4cc935e4aca60f79b475531b023069c7341f752e548e3d11bf2c361f4dd9e

SHA512
478dcd74baccc60b89f8ff1a49d4d10b65bc62d999261e00ad4ae8401b9972d93d7fcdbfacee5ffb1bed639de597966c20252481b7c29f712a3569f4c6a8dc73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\QA26QEM1.htm
MD5
b1cd7c031debba3a5c77b39b6791c1a7

SHA1
e5d91e14e9c685b06f00e550d9e189deb2075f76

SHA256
57ba053f075e0b80f747f3102ed985687c16a8754d109e7c4d33633269a36aaa

SHA512
d2bbefdc1effb52a38964c4cec5990a5a226248eca36f99e446c0c5704436f666bf1cb514e73b8991411d497d3325ecc646cbd5065c364e92ab6b9c5f1ad4a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UOAPEAJQ\7E8NEBMU.htm
MD5
8615e70875c2cc0b9db16027b9adf11d

SHA1
4ed62cf405311c0ff562a3c59334a15ddc4f1bf9

SHA256
da96949ba6b0567343f144486505c8c8fa1d892fd88c9cbc3ef3d751a570724d

SHA512
cd9dfc88dc2af9438b7d6b618d1b62029b3bdf739fc4daa5b37397afd12c4528561b3bf2fc3f3f2adf3fd1f582d5524332441fd30248fcd078e41aa91e17cb73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
MD5
3a87a3c5abcdc92ef421700ac6f5d0d1

SHA1
70509f9eed0f90f62b804da75aa73b6a3f6390ec

SHA256
45dd162163830e078517e6afb39a1b472d5077394500f2b3f85fa3711eb742af

SHA512
f6ae90245715e6e0a1e640ab123fa2c47971517142a65ebd4960aefac3493cabd65686cdb99623ce06d586f76b1e12d93e238086e83beed0a6bf649eb2518a6f

Download Submit
memory/3404-67-0x00000000058F0000-0x00000000058F1000-memory.dmp

Filesize
4KB

Download
memory/3404-51-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3404-50-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/3708-4-0x0000000000000000-mapping.dmp

Download
memory/3708-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/3916-28-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3916-13-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/4052-15-0x0000000000000000-mapping.dmp

Download
memory/4052-46-0x0000000000000000-mapping.dmp

Download
memory/4052-19-0x0000000000000000-mapping.dmp

Download
memory/4052-20-0x0000000000000000-mapping.dmp

Download
memory/4052-21-0x0000000000000000-mapping.dmp

Download
memory/4052-22-0x0000000000000000-mapping.dmp

Download
memory/4052-23-0x0000000000000000-mapping.dmp

Download
memory/4052-24-0x0000000000000000-mapping.dmp

Download
memory/4052-26-0x0000000000000000-mapping.dmp

Download
memory/4052-25-0x0000000000000000-mapping.dmp

Download
memory/4052-27-0x0000000000000000-mapping.dmp

Download
memory/4052-17-0x0000000000000000-mapping.dmp

Download
memory/4052-37-0x0000000000000000-mapping.dmp

Download
memory/4052-38-0x0000000000000000-mapping.dmp

Download
memory/4052-39-0x0000000000000000-mapping.dmp

Download
memory/4052-40-0x0000000000000000-mapping.dmp

Download
memory/4052-41-0x0000000000000000-mapping.dmp

Download
memory/4052-42-0x0000000000000000-mapping.dmp

Download
memory/4052-43-0x0000000000000000-mapping.dmp

Download
memory/4052-44-0x0000000000000000-mapping.dmp

Download
memory/4052-45-0x0000000000000000-mapping.dmp

Download
memory/4052-18-0x0000000000000000-mapping.dmp

Download
memory/4052-47-0x0000000000000000-mapping.dmp

Download
memory/4052-48-0x0000000000000000-mapping.dmp

Download
memory/4052-49-0x0000000000000000-mapping.dmp

Download
memory/4052-16-0x0000000000000000-mapping.dmp

Download
memory/4052-14-0x0000000000000000-mapping.dmp

Download
memory/4052-53-0x0000000000000000-mapping.dmp

Download
memory/4052-54-0x0000000000000000-mapping.dmp

Download
memory/4052-55-0x0000000000000000-mapping.dmp

Download
memory/4052-56-0x0000000000000000-mapping.dmp

Download
memory/4052-57-0x0000000000000000-mapping.dmp

Download
memory/4052-58-0x0000000000000000-mapping.dmp

Download
memory/4052-59-0x0000000000000000-mapping.dmp

Download
memory/4052-60-0x0000000000000000-mapping.dmp

Download
memory/4052-61-0x0000000000000000-mapping.dmp

Download
memory/4052-62-0x0000000000000000-mapping.dmp

Download
memory/4052-63-0x0000000000000000-mapping.dmp

Download
memory/4052-64-0x0000000000000000-mapping.dmp

Download
memory/4052-65-0x0000000000000000-mapping.dmp

Download
memory/4052-66-0x0000000000000000-mapping.dmp

Download
memory/4052-0-0x0000000000000000-mapping.dmp

Download