Overview

overview

10

Static

static

dc5ba84e57...84.exe

windows7_x64

10

dc5ba84e57...84.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    82s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-03-2021 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe

  • Size

    380KB

  • MD5

    a1ef511c6b47307948465fe6e1af6997

  • SHA1

    103f8cc1af6581b4be3f606fd86940d632a450d1

  • SHA256

    dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584

  • SHA512

    8cc28fc5e1e3e000e977f2f55fa9cf938dd29346e656d013c9ac126572d6eab469b3c3cac9d83683e37c3a220d1a12b22abb0d388483eab07a3ed92965be6821

Score
10/10
dharmaxmrigminerpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

Ransom Note
YOUR FILES ARE ENCRYPTED Don't worry,you can return all your files! If you want to restore them, follow this link: email GetDecoding@zimbabwe.su YOUR ID If you have not been answered via the link within 12 hours, write to us by e-mail: getdecoding@msgsafe.io Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Emails

GetDecoding@zimbabwe.su

getdecoding@msgsafe.io

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 2 IoCs
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Deletes itself 1 IoCs
  • Drops startup file 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 3 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe
    "C:\Users\Admin\AppData\Local\Temp\dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -noProfile -File takeaway.ps1 winhost
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3844
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES74F7.tmp" "c:\Users\Admin\AppData\Local\Temp\5q3ruqys\CSCE41A1056887A4B30B78BE0D347B207D.TMP"
          4⤵
            PID:3984
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File purgeMemory.ps1
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:196
          • C:\Windows\SysWOW64\vssadmin.exe
            "C:\Windows\system32\vssadmin.exe" delete shadows /all
            4⤵
            • Interacts with shadow copies
            PID:2056
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3208
        • C:\Users\Admin\AppData\Local\Temp\NS2.exe
          "C:\Users\Admin\AppData\Local\Temp\NS2.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            4⤵
              PID:2584
          • C:\Users\Admin\AppData\Local\Temp\winhost.exe
            "C:\Users\Admin\AppData\Local\Temp\winhost.exe"
            3⤵
            • Executes dropped EXE
            • Modifies extensions of user files
            • Deletes itself
            • Drops startup file
            • Adds Run key to start application
            • Drops desktop.ini file(s)
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1012
            • C:\Windows\system32\cmd.exe
              "C:\Windows\system32\cmd.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2332
              • C:\Windows\system32\mode.com
                mode con cp select=1251
                5⤵
                  PID:3912
                • C:\Windows\system32\vssadmin.exe
                  vssadmin delete shadows /all /quiet
                  5⤵
                  • Interacts with shadow copies
                  PID:2264
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:260
                • C:\Windows\system32\mode.com
                  mode con cp select=1251
                  5⤵
                    PID:1532
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    5⤵
                    • Interacts with shadow copies
                    PID:2508
                • C:\Windows\System32\mshta.exe
                  "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                  4⤵
                    PID:204
                  • C:\Windows\System32\mshta.exe
                    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
                    4⤵
                      PID:3872
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2292
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1308
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalService -s FontCache
                1⤵
                • Drops file in Windows directory
                • Modifies data under HKEY_USERS
                PID:2116

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              Defense Evasion

              File Deletion

              2
              T1107

              Modify Registry

              1
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Inhibit System Recovery

              2
              T1490

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                MD5

                962418b7a9d994c8c4a535bc49a2d349

                SHA1

                a398b9f24cea070ea1917e4aaa3d99be4ed4fe70

                SHA256

                69dd336d94cce517632c9f1f7432c5d24d03d4d2f4e5fce45056d4e64a2f2d8f

                SHA512

                8ee4d0e6064dd7dbdb0b9ee5c85113a3960e7f86888f9d41e54f985bd7420a903b2848d94c85301e50f0804d0b1581a4b36af89998c683a2eb8b660074183cc2

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                MD5

                a1bc63feab712c2486f1aa40b551818c

                SHA1

                1ecda30d5f5f3bcfdf94785629b5a65265b73ee5

                SHA256

                9fd47d7d1a98ef6ccdadbfa9d63a909363655b9cee08a1a513bfecad3029f48f

                SHA512

                001b75aad5261795ff57169d571c4d020c891536e33ed7ebc3128a1682d30828d666513e50fa10bd497094ae8f51128ed7191f05aa9e32a0294da0ed36ae7a9a

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                MD5

                a1bc63feab712c2486f1aa40b551818c

                SHA1

                1ecda30d5f5f3bcfdf94785629b5a65265b73ee5

                SHA256

                9fd47d7d1a98ef6ccdadbfa9d63a909363655b9cee08a1a513bfecad3029f48f

                SHA512

                001b75aad5261795ff57169d571c4d020c891536e33ed7ebc3128a1682d30828d666513e50fa10bd497094ae8f51128ed7191f05aa9e32a0294da0ed36ae7a9a

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.dll
                MD5

                7be575c48e33ec0b07550b71221a5cfa

                SHA1

                c5ff1b2b30fa35b2aab202b48e590dcf85ba0287

                SHA256

                67aea155121d8eae80fc16b17801732ab99f65f65dd835f45ce39cae6ba17bf1

                SHA512

                4a1c6e8f14eced589a893717d30837f43bc56fc5332cf14231426496f86246fd92fb6539279beb98ca839d428204f64715d78dbe73d7dca191dc0bbc6dbf870e

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\NS2.exe
                MD5

                597de376b1f80c06d501415dd973dcec

                SHA1

                629c9649ced38fd815124221b80c9d9c59a85e74

                SHA256

                f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

                SHA512

                072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\NS2.exe
                MD5

                597de376b1f80c06d501415dd973dcec

                SHA1

                629c9649ced38fd815124221b80c9d9c59a85e74

                SHA256

                f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

                SHA512

                072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\RES74F7.tmp
                MD5

                b34c566a009efc9f1f890c0fb3fd6b62

                SHA1

                5a883b16cc16ed4531554dfc90e82810bb4af9f7

                SHA256

                67cddd999add1e57fe095c4028fba5e1d9bd257b897c9e134d3f33a6bed28788

                SHA512

                29ca18b7912119a1741648644d4378ff9d24cb621a0a5ec1611754377c48d46f200fcb5724b55153013a908801f88fc92258ea480188c246a40c9bfebf75591f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\purgeMemory.ps1
                MD5

                31e22820cba11f6c7670854ed65f09ed

                SHA1

                9ab447c539234e75b56b3e180f3541580ffa0cea

                SHA256

                6a808299703119635c68fcadb14b7301775b49eb5948aeb319b6728f1686f035

                SHA512

                fbc97b21f9627687070edf9727f68062e8d5d71447497a0a0bd63bbe2ea3b0e753849226cb4cd9688f838e103e348dc070dc8360937e2662ff23291c4b2910fe

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\takeaway.ps1
                MD5

                08c0963ddf483e5c233026380de1b6d0

                SHA1

                1e3a06d038a48c76a6ad0c400cf145109e7179b7

                SHA256

                488590a74e0ab3e1a8942146d3b0f1ce1c0a0841fede177406635bb68cc7ba59

                SHA512

                a73d58c5881468d504dc67b6ff1830d2147394717ef3ed8dd8489ae060d1d3a12eac7c500d7d5f0f915e6497a19f43c08ada089f5b9855f34a99898fc772317f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\winhost.exe
                MD5

                c24f6144e905b717a372c529d969611e

                SHA1

                0a297e9e5c807c06ad10f4f746f4f9e256df6743

                SHA256

                94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

                SHA512

                f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\winhost.exe
                MD5

                c24f6144e905b717a372c529d969611e

                SHA1

                0a297e9e5c807c06ad10f4f746f4f9e256df6743

                SHA256

                94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6

                SHA512

                f0b883f54808a5e669fdd7a41a3899d302edb8c4e6160ea88ec8cb25783d56c39a815b922b17ed133610f1dc3bc515eba63410d381d0e65e0998e2b752b0874f

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                MD5

                76966bf51067f84cffd1c38362fba489

                SHA1

                0f9da407f993054582613d31d881f45524727721

                SHA256

                c01310d8fc80c08e0b7cebd36605f5cb228d0d3aef3153201676e0eabbca4621

                SHA512

                b3e132173bbc08efedc9d279ae76a814290eaf3b21b7c3bfca8620e7d5e2612c86e496c752bfc43ca7d9a5641c72bd2991f04fe46eb8460f4cf5b3146ee5ce33

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
                MD5

                962418b7a9d994c8c4a535bc49a2d349

                SHA1

                a398b9f24cea070ea1917e4aaa3d99be4ed4fe70

                SHA256

                69dd336d94cce517632c9f1f7432c5d24d03d4d2f4e5fce45056d4e64a2f2d8f

                SHA512

                8ee4d0e6064dd7dbdb0b9ee5c85113a3960e7f86888f9d41e54f985bd7420a903b2848d94c85301e50f0804d0b1581a4b36af89998c683a2eb8b660074183cc2

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.0.cs
                MD5

                9c478287d8b4ad6cd34ac20bdac9577c

                SHA1

                73965974950d1be20682abc2f716e5070f2c7097

                SHA256

                8bb1e373d78c7c750ac20b5b0ec3dfcd1e8e74ca8d6accde1e02aa2c205c776f

                SHA512

                b0c435e194b5a72c50ddccf2bc84d178e5e1872f4ed3f630a661d187f77f4eb095a08303e4d243c45384a84b717fd2d5c76c5c4274cade5ad1a09dcdcd4ca6a2

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\5q3ruqys\5q3ruqys.cmdline
                MD5

                df457047995cc0ecc31eb5579b1b3d9a

                SHA1

                49c91dc108eaf9f3c4c4c9fd12067b1e4bb84577

                SHA256

                7d0d203114f29d785b135b33b4ef49dceb699889eaf3f0acd07acbea8a97275d

                SHA512

                bb53cd83c9af17d1b44941205e5bca1afb6b0377e051e24febda186e177ad8c0f598f223a912bdeba17916dd1fa130f198c35b71159920d833e35ececbce8dac

                Download Submit
              • \??\c:\Users\Admin\AppData\Local\Temp\5q3ruqys\CSCE41A1056887A4B30B78BE0D347B207D.TMP
                MD5

                43f98d5f821e92fb05338075c1ffc8bc

                SHA1

                e93ea52b42ad862579913a388e37e0964a21390e

                SHA256

                60f37b4f4be790006832291397cfd00a0743900a0b7565d6834b12e98327f03e

                SHA512

                884a4f7240bce6b5290e7867854cb9936c66ab1d4bbf55fd7895cc482e0d563c1b5a92eb52cc0cca7342910c9656d5287ec85c516623855fd365072fde1855a2

                Download Submit
              • memory/188-13-0x0000000007D40000-0x0000000007D41000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-9-0x0000000007400000-0x0000000007401000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-17-0x0000000009C40000-0x0000000009C41000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-15-0x00000000084D0000-0x00000000084D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-14-0x00000000086F0000-0x00000000086F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-12-0x0000000007DE0000-0x0000000007DE1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-26-0x0000000007040000-0x0000000007041000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-27-0x00000000095C0000-0x00000000095C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-28-0x00000000094F0000-0x00000000094F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-29-0x000000000A2C0000-0x000000000A2C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-11-0x0000000007BD0000-0x0000000007BD1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-10-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-33-0x0000000009AA0000-0x0000000009AD3000-memory.dmp
                Filesize

                204KB

                Download
              • memory/188-18-0x00000000091F0000-0x00000000091F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-44-0x0000000009A80000-0x0000000009A81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-45-0x0000000009AE0000-0x0000000009AE1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-8-0x0000000004AE2000-0x0000000004AE3000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-7-0x00000000075A0000-0x00000000075A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-49-0x000000007FBB0000-0x000000007FBB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-56-0x0000000004AE3000-0x0000000004AE4000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-6-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-60-0x000000000A7C0000-0x000000000A7C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-62-0x0000000009C20000-0x0000000009C21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-5-0x0000000004B30000-0x0000000004B31000-memory.dmp
                Filesize

                4KB

                Download
              • memory/188-4-0x0000000073650000-0x0000000073D3E000-memory.dmp
                Filesize

                6.9MB

                Download
              • memory/188-3-0x0000000000000000-mapping.dmp
                Download
              • memory/196-51-0x0000000005650000-0x0000000005651000-memory.dmp
                Filesize

                4KB

                Download
              • memory/196-52-0x0000000005652000-0x0000000005653000-memory.dmp
                Filesize

                4KB

                Download
              • memory/196-40-0x0000000073650000-0x0000000073D3E000-memory.dmp
                Filesize

                6.9MB

                Download
              • memory/196-30-0x0000000000000000-mapping.dmp
                Download
              • memory/196-81-0x0000000005654000-0x0000000005656000-memory.dmp
                Filesize

                8KB

                Download
              • memory/196-78-0x0000000009DF0000-0x0000000009DF1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/196-79-0x0000000005653000-0x0000000005654000-memory.dmp
                Filesize

                4KB

                Download
              • memory/204-103-0x0000000000000000-mapping.dmp
                Download
              • memory/260-102-0x0000000000000000-mapping.dmp
                Download
              • memory/640-2-0x00000000026F0000-0x00000000026F1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1012-71-0x0000000000000000-mapping.dmp
                Download
              • memory/1532-105-0x0000000000000000-mapping.dmp
                Download
              • memory/2056-75-0x0000000000000000-mapping.dmp
                Download
              • memory/2264-76-0x0000000000000000-mapping.dmp
                Download
              • memory/2332-73-0x0000000000000000-mapping.dmp
                Download
              • memory/2508-106-0x0000000000000000-mapping.dmp
                Download
              • memory/2584-77-0x0000000000000000-mapping.dmp
                Download
              • memory/3208-86-0x0000000006982000-0x0000000006983000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3208-83-0x0000000006980000-0x0000000006981000-memory.dmp
                Filesize

                4KB

                Download
              • memory/3208-82-0x0000000073650000-0x0000000073D3E000-memory.dmp
                Filesize

                6.9MB

                Download
              • memory/3208-80-0x0000000000000000-mapping.dmp
                Download
              • memory/3844-19-0x0000000000000000-mapping.dmp
                Download
              • memory/3872-104-0x0000000000000000-mapping.dmp
                Download
              • memory/3912-74-0x0000000000000000-mapping.dmp
                Download
              • memory/3984-22-0x0000000000000000-mapping.dmp
                Download
              • memory/3988-68-0x0000000000000000-mapping.dmp
                Download