7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93

Analysis

max time kernel
89s
max time network
135s
platform
windows10_x64
resource
win10v20201028
submitted
13-11-2020 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dori.ocx.dll
Size

141KB
MD5

745868c40e6f1d1d40ae60335417f6d7
SHA1

cfe42b4014fc22596b4305271c4a133492603349
SHA256

7a5e4fd35a1a636ef1beb7e62cc647d7e63f5c7aadd2aa1a49d49c81183aca93
SHA512

fae585aa131dfa0c5063991fe13938f73c83d78b43ee142ca39e767ec7db6ec7bb419522b4c0c6c210163b05e95db896388446dd8b70b7a29d4c6fe31d130b18

Score

8^/10

Malware Config

Signatures

Blacklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

26 512 rundll32.exe

flow	pid	process
26	512	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3143315372"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30849459"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3143315372"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07ed4beb3b9d601	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8007f1beb3b9d601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30849459"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a0000000002000000000010660000000100002000000002b1a7dd7fe558b500c3057629a12ca810948d818baf5e4aeeb1c1bc8b217f31000000000e80000000020000200000005dc1d7064670b6f02038dd4fe3ebe51c9ae66783004a727f036c30a43264124d20000000fbb0adf3e361a304c3ea42e41e2bd4b73f3773fc89869c78014b20bff3e9da18400000006f9cd93d5a6526ed9bb65949ed95f56f090c8327e28d7316c7554b3fc3dc354fa5c29cb222556c4a220713f9d00ca588b31ab98ec9270dabfafdf83ee61f480d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001cad0ccd232972468e753df42302a60a000000000200000000001066000000010000200000001493f7b301f2db0e66a2c821e11ab063772a4e68beb04bfc3285b25605083982000000000e8000000002000020000000461ec731165272f8dc9a2afd92fdad45476d0c33dd4b570f131e56a29fed357a20000000fc68b688f5f204e9bca4f8bdc8bffa0e6fe51eef317a9712c53f4a1ec9ccbe6b40000000a884b6ca54dd5ac5fcec266e81d199d62388d58c68340fa615915221465908e402eb2aabdd941317ef0c6a45bf24381067fd520df2220415a83e0abcbb07e31c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E6E0F533-25A6-11EB-B59A-EAF55770C779} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

2284 powershell.exe
2284 powershell.exe
2284 powershell.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

powershell.exerundll32.exe

pid process

2284 powershell.exe
512 rundll32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2284 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4000 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4000 iexplore.exe
4000 iexplore.exe
2380 IEXPLORE.EXE
2380 IEXPLORE.EXE

pid	process
2284	powershell.exe
2284	powershell.exe
2284	powershell.exe

pid	process
2284	powershell.exe
512	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2284	powershell.exe

pid	process
4000	iexplore.exe

pid	process
4000	iexplore.exe
4000	iexplore.exe
2380	IEXPLORE.EXE
2380	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

rundll32.exeiexplore.execmd.exeforfiles.execmd.exepowershell.execsc.execsc.exerundll32.exe

description	pid	process	target process
PID 2268 wrote to memory of 512	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 512	2268	rundll32.exe	rundll32.exe
PID 2268 wrote to memory of 512	2268	rundll32.exe	rundll32.exe
PID 4000 wrote to memory of 2380	4000	iexplore.exe	IEXPLORE.EXE
PID 4000 wrote to memory of 2380	4000	iexplore.exe	IEXPLORE.EXE
PID 4000 wrote to memory of 2380	4000	iexplore.exe	IEXPLORE.EXE
PID 3960 wrote to memory of 3636	3960	cmd.exe	forfiles.exe
PID 3960 wrote to memory of 3636	3960	cmd.exe	forfiles.exe
PID 3636 wrote to memory of 3896	3636	forfiles.exe	cmd.exe
PID 3636 wrote to memory of 3896	3636	forfiles.exe	cmd.exe
PID 3896 wrote to memory of 2284	3896	cmd.exe	powershell.exe
PID 3896 wrote to memory of 2284	3896	cmd.exe	powershell.exe
PID 2284 wrote to memory of 2320	2284	powershell.exe	csc.exe
PID 2284 wrote to memory of 2320	2284	powershell.exe	csc.exe
PID 2320 wrote to memory of 1572	2320	csc.exe	cvtres.exe
PID 2320 wrote to memory of 1572	2320	csc.exe	cvtres.exe
PID 2284 wrote to memory of 748	2284	powershell.exe	csc.exe
PID 2284 wrote to memory of 748	2284	powershell.exe	csc.exe
PID 748 wrote to memory of 356	748	csc.exe	cvtres.exe
PID 748 wrote to memory of 356	748	csc.exe	cvtres.exe
PID 2284 wrote to memory of 3032	2284	powershell.exe	Explorer.EXE
PID 512 wrote to memory of 3032	512	rundll32.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3032

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dori.ocx.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dori.ocx.dll,#1
3⤵
- Blacklisted process makes network request
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
2⤵
- Suspicious use of WriteProcessMemory
PID:3960

C:\Windows\system32\forfiles.exe
forfiles /c "cmd /k @path -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit" /p C:\Windows\system32 /s /m po*l.e*e
3⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\system32\cmd.exe
/k "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATgBlAHQAaQBkACcAKQAuAFQA
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j04s3o5s\j04s3o5s.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34BD.tmp" "c:\Users\Admin\AppData\Local\Temp\j04s3o5s\CSC7F67302AD8814C2881F48C1779177F5.TMP"
7⤵
PID:1572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ksenfjw4\ksenfjw4.cmdline"
6⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3588.tmp" "c:\Users\Admin\AppData\Local\Temp\ksenfjw4\CSCB4AB3F1D41644231A36353BADBDA74.TMP"
7⤵
PID:356

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4000 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
a69fba04d9b13e82fb772d1b38b6054a

SHA1
f7ab8c1d32ddc58e13f65f9b8bb0cc844f164454

SHA256
733d04f9d9e1fdf85914f097cca3f8bfb3926c38a7ccf69e7c74d887abbc64ff

SHA512
6fae50c73cc08c48d5ecb6814785f82c46ded1dc00ba9a8b02a9b2bd907a10bba6015e0a5753487a12765db242162ce4f822bf5d3381a71ae2143c9f5d34669a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
MD5
bd3fc74f1b941936ca01de9bcf7dd3a9

SHA1
6e6741e633dc0331d4b7176c1ec40f637af9fbe8

SHA256
3f767d49b366a47cc30bceea0835ba3f6b39edd6df105e70ea46249dbc48fc97

SHA512
6634302e605c49f5ec5acfc4d069b864bf0222c3843ceebc7aeecf5ae3e432e702ef96a7cd22b06ead7907a4fdc4fe114c94d3ea58161847a4d2618156e9adf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES34BD.tmp
MD5
45d5cb46180ca0f0be9d1cff408c1be9

SHA1
0e719afad4f26d93891ad3f7970111a93fca0281

SHA256
f3465e2797007ac80e2f9836af9de9951d158ae5be440a0d28eb68c215ee0adb

SHA512
09659f815b962c8b7afb29ad64d4412db23698da27224707c4e99e5bf51b2bd0633eb3b72fc1a551a52117f739af1414c5a6b55f0e74e09c723df60292a0ac1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3588.tmp
MD5
5d4f188db7087c496a1fbf1c66e63e70

SHA1
cc3256d85a3ecc4256e3231f2afae94f8462c2e4

SHA256
200ec80e40f3642a186bb7943d6e11e737356d58222adc7bbe96aca2a886b03a

SHA512
0331fcfa3d6a02cd00ccc74c276919c63fefe666fd525ab3ebc3a9e19d73b1eaed6d2df3e6395e532242f5b7207c24fb8c8163ba69c20183afcb01c294b94a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\j04s3o5s\j04s3o5s.dll
MD5
ea6dafc8ecf15f5148441f3af46ec6ce

SHA1
649f5a4b088dde0ff7a8b391632d28d663525d9a

SHA256
21752239f76230bc740477adbf42894aee2aa0c069576697be5e543a985cf044

SHA512
ac698f7be5d55db8a010fdf794fc465bcf9ac022d3b8ae531acd7fcb9677893097fb228c8ff6b5957ea43c99f5b9d89f3d72515f4bde820e4309e03dfbb6d851

Download Submit
C:\Users\Admin\AppData\Local\Temp\ksenfjw4\ksenfjw4.dll
MD5
e26291e4f333ad2980603e7abe473aed

SHA1
deecbb33e84cacc41a482f905b5652fe3f9687f1

SHA256
161a9d8c035badb228c22a8eb80e0c301c8c249aff119b98bd08681430bc7ec9

SHA512
7b610b707395c5e5007a03e19b54e28f4011046005eba357326081e2c99cf90b143acb86ca9ca55729368ef055a7bd0a13a19563dc8bbdfd20489e8be133e41e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j04s3o5s\CSC7F67302AD8814C2881F48C1779177F5.TMP
MD5
0a923ce56dc926abc994c86cabd8240d

SHA1
41d79abe6eeadbe7ceb623be4026cc1c957533cf

SHA256
fd53d693089adbcd0b354cc9f207c77a81fff5731534ede561ac20cb3f6efc87

SHA512
aebebd24ec73599fb95cb96b8e576cfac8de8c6530f465326baa82f2448e1900ca3cd7fd988dec7110bd70fbba76b96d848fa983e8dc3705859c94f09a336cfb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j04s3o5s\j04s3o5s.0.cs
MD5
aee5ecef6b6a9b4372991443276b71ce

SHA1
911bd26fba4c5e51423f2c6339cc267f8697f339

SHA256
90e03a7c9cb196fd260c54663a4c867f33621ac29746cd8c0a4b2aa9b390754a

SHA512
cf99d4941aa5d1a4dd3abd5ca7a4d3d19a7f497c3247fd09505e263a9a4646b81eb19d7a9312b17a00d22ca9881b6d725b76013b7dc470dcc964b77970c96cc3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\j04s3o5s\j04s3o5s.cmdline
MD5
e6b5c84e486083331c6296c746a01909

SHA1
b08083b9f4515f1cec52a8c5e0c8b3e92198be91

SHA256
3665974a710699927af91f8d25e99c7bde71cfd2516fc1be012b0d9a39e3cd72

SHA512
087293ef4bbb513d65de3481e011e8a3f0e91bba4f12a327b007baf2cdcf402af48344e6e1b2b784f33be3dd736360d75e589ec0e3812546b64add078221e001

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ksenfjw4\CSCB4AB3F1D41644231A36353BADBDA74.TMP
MD5
3efa2bed55dd2b08f1ed6e29ff31cb4f

SHA1
9529f9e48296dd2613f9dc86b78e49d2529a4a37

SHA256
09110a72428c083db9220f0ec4e457e9c4470e756af6e9b2130b8aa433fb7d00

SHA512
cc1bddb462a0423b31c02cd9fa700ec474e8c5e3ef9811a0550b8da89f9b0c0cabf0ffa0f66ff259fca2816a89e8efeca9976e29a8937199d68c4d38eb521b1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ksenfjw4\ksenfjw4.0.cs
MD5
a5043957e07dbe0dee7bb8aad13a403e

SHA1
571c9136e0e90d016dd83b24c40eadbf7186c701

SHA256
73775570d08cc971668d853274b7c9a0cfb407cf76480747b9e38542e5dc53c9

SHA512
14f98e4902059980ed8f46c72fdefeb404f14df0fa06628476d63f9bb9ed76fd6398abd4de8c1de7dfa2a8b2108c31e2b9b668acfc92958c1eecc4a0c8d656a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ksenfjw4\ksenfjw4.cmdline
MD5
9a0af4d2f024e810f2b7c04e79912df2

SHA1
7d580254ed5c2a2bedbb90c50407b7397733b212

SHA256
f7753240395798e6627948c9d9c80426e1e663fb014afbcca7a6564ca74659fa

SHA512
15e082c8ed293331faefe9c91781b789ede5fc23152cdee0ce1754afd571439f9de1d89fd45dd9b1d79e047a843a782ce7c3b6a363b77ff84f5b178363e81bc9

Download Submit
memory/356-23-0x0000000000000000-mapping.dmp

Download
memory/512-31-0x00000000031E0000-0x00000000031F8000-memory.dmp

Filesize
96KB

Download
memory/512-1-0x00000000053E0000-0x00000000053F2000-memory.dmp

Filesize
72KB

Download
memory/512-0-0x0000000000000000-mapping.dmp

Download
memory/748-20-0x0000000000000000-mapping.dmp

Download
memory/1572-15-0x0000000000000000-mapping.dmp

Download
memory/2284-9-0x00007FF989BA0000-0x00007FF98A58C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-19-0x000002666A300000-0x000002666A301000-memory.dmp

Filesize
4KB

Download
memory/2284-8-0x0000000000000000-mapping.dmp

Download
memory/2284-27-0x000002666A310000-0x000002666A311000-memory.dmp

Filesize
4KB

Download
memory/2284-10-0x000002666A2B0000-0x000002666A2B1000-memory.dmp

Filesize
4KB

Download
memory/2284-28-0x000002666A350000-0x000002666ADA0000-memory.dmp

Filesize
10.3MB

Download
memory/2284-29-0x000002666ADC0000-0x000002666ADD8000-memory.dmp

Filesize
96KB

Download
memory/2284-11-0x000002666AFF0000-0x000002666AFF1000-memory.dmp

Filesize
4KB

Download
memory/2320-12-0x0000000000000000-mapping.dmp

Download
memory/2380-2-0x0000000000000000-mapping.dmp

Download
memory/3636-6-0x0000000000000000-mapping.dmp

Download
memory/3636-5-0x0000000000000000-mapping.dmp

Download
memory/3896-7-0x0000000000000000-mapping.dmp

Download