bazarloader | b48cccd1b5e13f4a531366737c742ebe4c0f9921da9170313f29591a824801b4

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7v20201028
submitted
01-04-2021 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

subscription_1617291613.xlsb

Score

10^/10

bazarloader nloader dropper loader persistence

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1672	1068	cmd.exe	EXCEL.EXE

Bazar/Team9 Loader payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/792-19-0x0000000001BA0000-0x0000000001BC3000-memory.dmp	BazarLoaderVar1
behavioral1/memory/792-18-0x0000000000430000-0x0000000000455000-memory.dmp	BazarLoaderVar1
behavioral1/memory/792-20-0x00000000001E0000-0x0000000000202000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1384-27-0x0000000001D40000-0x0000000001D63000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2032-37-0x0000000000350000-0x0000000000373000-memory.dmp	BazarLoaderVar1

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/744-14-0x0000000000150000-0x0000000000155000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 744 rundll32.exe
4 744 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

tkqyg.exetkqyg.exeCPPB25E.exeCPPB25E.exe

pid process

792 tkqyg.exe
1384 tkqyg.exe
2032 CPPB25E.exe
1172 CPPB25E.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.execmd.execmd.exe

pid process

744 rundll32.exe
744 rundll32.exe
524 cmd.exe
940 cmd.exe

flow	pid	process
3	744	rundll32.exe
4	744	rundll32.exe

pid	process
792	tkqyg.exe
1384	tkqyg.exe
2032	CPPB25E.exe
1172	CPPB25E.exe

pid	process
744	rundll32.exe
744	rundll32.exe
524	cmd.exe
940	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CPPB25E.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MK90GJVY4Y = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v WYILGH4LL /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\CPPB25E.exe O3PAB\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\CPPB25E.exe O3PAB"	CPPB25E.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

744 PING.EXE
552 PING.EXE
1328 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tkqyg.exe

pid process

792 tkqyg.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE

pid	process
744	PING.EXE
552	PING.EXE
1328	PING.EXE

pid	process
1068	EXCEL.EXE

pid	process
792	tkqyg.exe

pid	process
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exetkqyg.execmd.exetkqyg.execmd.exeCPPB25E.execmd.exe

description	pid	process	target process
PID 1068 wrote to memory of 1672	1068	EXCEL.EXE	cmd.exe
PID 1068 wrote to memory of 1672	1068	EXCEL.EXE	cmd.exe
PID 1068 wrote to memory of 1672	1068	EXCEL.EXE	cmd.exe
PID 1068 wrote to memory of 1672	1068	EXCEL.EXE	cmd.exe
PID 1672 wrote to memory of 1496	1672	cmd.exe	certutil.exe
PID 1672 wrote to memory of 1496	1672	cmd.exe	certutil.exe
PID 1672 wrote to memory of 1496	1672	cmd.exe	certutil.exe
PID 1672 wrote to memory of 1496	1672	cmd.exe	certutil.exe
PID 1672 wrote to memory of 744	1672	cmd.exe	rundll32.exe
PID 1672 wrote to memory of 744	1672	cmd.exe	rundll32.exe
PID 1672 wrote to memory of 744	1672	cmd.exe	rundll32.exe
PID 1672 wrote to memory of 744	1672	cmd.exe	rundll32.exe
PID 1672 wrote to memory of 744	1672	cmd.exe	rundll32.exe
PID 1672 wrote to memory of 744	1672	cmd.exe	rundll32.exe
PID 1672 wrote to memory of 744	1672	cmd.exe	rundll32.exe
PID 744 wrote to memory of 792	744	rundll32.exe	tkqyg.exe
PID 744 wrote to memory of 792	744	rundll32.exe	tkqyg.exe
PID 744 wrote to memory of 792	744	rundll32.exe	tkqyg.exe
PID 744 wrote to memory of 792	744	rundll32.exe	tkqyg.exe
PID 792 wrote to memory of 944	792	tkqyg.exe	cmd.exe
PID 792 wrote to memory of 944	792	tkqyg.exe	cmd.exe
PID 792 wrote to memory of 944	792	tkqyg.exe	cmd.exe
PID 944 wrote to memory of 552	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 552	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 552	944	cmd.exe	PING.EXE
PID 944 wrote to memory of 1384	944	cmd.exe	tkqyg.exe
PID 944 wrote to memory of 1384	944	cmd.exe	tkqyg.exe
PID 944 wrote to memory of 1384	944	cmd.exe	tkqyg.exe
PID 1384 wrote to memory of 524	1384	tkqyg.exe	cmd.exe
PID 1384 wrote to memory of 524	1384	tkqyg.exe	cmd.exe
PID 1384 wrote to memory of 524	1384	tkqyg.exe	cmd.exe
PID 524 wrote to memory of 1328	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 1328	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 1328	524	cmd.exe	PING.EXE
PID 524 wrote to memory of 2032	524	cmd.exe	CPPB25E.exe
PID 524 wrote to memory of 2032	524	cmd.exe	CPPB25E.exe
PID 524 wrote to memory of 2032	524	cmd.exe	CPPB25E.exe
PID 2032 wrote to memory of 940	2032	CPPB25E.exe	cmd.exe
PID 2032 wrote to memory of 940	2032	CPPB25E.exe	cmd.exe
PID 2032 wrote to memory of 940	2032	CPPB25E.exe	cmd.exe
PID 940 wrote to memory of 744	940	cmd.exe	PING.EXE
PID 940 wrote to memory of 744	940	cmd.exe	PING.EXE
PID 940 wrote to memory of 744	940	cmd.exe	PING.EXE
PID 940 wrote to memory of 1172	940	cmd.exe	CPPB25E.exe
PID 940 wrote to memory of 1172	940	cmd.exe	CPPB25E.exe
PID 940 wrote to memory of 1172	940	cmd.exe	CPPB25E.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617291613.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\569390.pdi %PUBLIC%\569390.ui && rundll32 %PUBLIC%\569390.ui,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\certutil.exe
certutil -decode C:\Users\Public\569390.pdi C:\Users\Public\569390.ui
3⤵
PID:1496

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\569390.ui,DF1
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:744

C:\ProgramData\tkqyg\tkqyg.exe
"C:\ProgramData\tkqyg\tkqyg.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\tkqyg\tkqyg.exe QB2KET
5⤵
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
6⤵
- Runs ping.exe
PID:552

C:\ProgramData\tkqyg\tkqyg.exe
C:\ProgramData\tkqyg\tkqyg.exe QB2KET
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe MEW1DLD
7⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
8⤵
- Runs ping.exe
PID:1328

C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe MEW1DLD
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\cPPB25E.exe O3PAB
9⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
10⤵
- Runs ping.exe
PID:744

C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
C:\Users\Admin\AppData\Local\Temp\cPPB25E.exe O3PAB
10⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tkqyg\tkqyg.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\ProgramData\tkqyg\tkqyg.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\ProgramData\tkqyg\tkqyg.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb
MD5
9d96c6e1a217708aa7a2e8466fa9a3ad

SHA1
1b501be99ec067c24bf1453b80ba43c3be74129d

SHA256
9a2d013b1362250440641e7d7fe10bcefe1ce170ff6b8b2847756a15e139836b

SHA512
82a8d4aa8f85e5340898cad16be3f6ca87cb0299488f88eb0707fbb4cc5e5b5188389408ca0c7507258a6f79f206f81276a50e97ccb7773f088a7bbdaa6dc52a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb
MD5
11f2c51d9e159cc23771640061d60f88

SHA1
c929a5c7ad079290f545fce346bcc73f5079ea94

SHA256
f9d29df85cdadebc35ca53c6be476931b9380892a646c1ae912bf032bf519c8f

SHA512
eb3fef822c982504052cf0c710d09e107d1621b40852df20726af17b426a7a3a5906aea328193ec020a62de490ac2505592f05f7b0aa0a02cdc56ad6a06044fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb
MD5
343dc36a00dc66f25224b9956963cc95

SHA1
0c2740b2b4c16f258bb08095925ec0fc67bc9fd6

SHA256
40734428dd1c172d31a68666d769c77fb18cc77d16fef37d4f67776facce13ed

SHA512
d6e295f6ba7ab6501b93f26ef6607cf0976c6d06524756b1850d1308adcd134fa97afda1e0bb37d24f4ea01de9a6bb8362c6b3f3ab580f1b0e90cfc998e518ea

Download Submit
C:\Users\Public\569390.pdi
MD5
5cc5f895b91ab4c1835ac9b83e86663b

SHA1
b51565a65b167172b71516435f4118ec9a278673

SHA256
81a75221faf7f28e2b2ce76471499d72b94da9ae48e0e1dc5bf01060e9195065

SHA512
3a4289acdc392d999f4edde46c4261956b9be0aba355dc730a7bee08b9b00dff8733f84c97365aa773fad8bde29aa8dc040aac3067e7af3e7f75049c897e08f0

Download Submit
C:\Users\Public\569390.ui
MD5
f4dc5b1151ed77bfcfae8b73147d93c2

SHA1
e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

SHA256
71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

SHA512
077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

Download Submit
\ProgramData\tkqyg\tkqyg.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
\Users\Admin\AppData\Local\Temp\CPPB25E.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
\Users\Admin\AppData\Local\Temp\CPPB25E.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
\Users\Public\569390.ui
MD5
f4dc5b1151ed77bfcfae8b73147d93c2

SHA1
e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

SHA256
71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

SHA512
077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

Download Submit
memory/524-30-0x0000000000000000-mapping.dmp

Download
memory/552-22-0x0000000000000000-mapping.dmp

Download
memory/744-14-0x0000000000150000-0x0000000000155000-memory.dmp

Filesize
20KB

Download
memory/744-10-0x0000000000000000-mapping.dmp

Download
memory/744-40-0x0000000000000000-mapping.dmp

Download
memory/792-19-0x0000000001BA0000-0x0000000001BC3000-memory.dmp

Filesize
140KB

Download
memory/792-20-0x00000000001E0000-0x0000000000202000-memory.dmp

Filesize
136KB

Download
memory/792-18-0x0000000000430000-0x0000000000455000-memory.dmp

Filesize
148KB

Download
memory/792-16-0x0000000000000000-mapping.dmp

Download
memory/940-39-0x0000000000000000-mapping.dmp

Download
memory/944-21-0x0000000000000000-mapping.dmp

Download
memory/1068-3-0x0000000071681000-0x0000000071683000-memory.dmp

Filesize
8KB

Download
memory/1068-2-0x000000002FF01000-0x000000002FF04000-memory.dmp

Filesize
12KB

Download
memory/1068-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1172-42-0x0000000000000000-mapping.dmp

Download
memory/1328-31-0x0000000000000000-mapping.dmp

Download
memory/1384-27-0x0000000001D40000-0x0000000001D63000-memory.dmp

Filesize
140KB

Download
memory/1384-23-0x0000000000000000-mapping.dmp

Download
memory/1496-7-0x0000000000000000-mapping.dmp

Download
memory/1496-8-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1672-6-0x0000000000000000-mapping.dmp

Download
memory/1728-5-0x000007FEF6500000-0x000007FEF677A000-memory.dmp

Filesize
2.5MB

Download
memory/2032-37-0x0000000000350000-0x0000000000373000-memory.dmp

Filesize
140KB

Download
memory/2032-33-0x0000000000000000-mapping.dmp

Download