adwind | 7c7d68c4590327e3c3b7ca47d8d1b6b6554a07940e4a7dadeb65534babd5d866

Analysis

max time kernel
151s
max time network
103s
platform
windows7_x64
resource
win7v20210408
submitted
20-04-2021 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5.jar
Size

630KB
MD5

085dc6e275b50f45fc1e7973d44af68e
SHA1

94cc43999b1104829fa0ddf16710fcc65f221731
SHA256

7c7d68c4590327e3c3b7ca47d8d1b6b6554a07940e4a7dadeb65534babd5d866
SHA512

188b37b6ae96d27e29377da18da4faabc0bceeeb82baf53b9e0fbcf99d02a14b5ddbd8220d2a5fb762d5b0bbea474587c75ee572f8673f46eb343dae0ea17905

Score

10^/10

adwind evasion persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid process

1668 javaw.exe
Drops file in System32 directory 1 IoCs

Processes:

javaw.exe

description ioc process

File created C:\Windows\System32\test.txt javaw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

960 taskkill.exe
1004 taskkill.exe
1484 taskkill.exe
1524 taskkill.exe
276 taskkill.exe
1664 taskkill.exe
428 taskkill.exe
Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

1292 regedit.exe
276 regedit.exe

pid	process
1668	javaw.exe

description	ioc	process
File created	C:\Windows\System32\test.txt	javaw.exe

pid	process
960	taskkill.exe
1004	taskkill.exe
1484	taskkill.exe
1524	taskkill.exe
276	taskkill.exe
1664	taskkill.exe
428	taskkill.exe

pid	process
1292	regedit.exe
276	regedit.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemProfilePrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeProfSingleProcessPrivilege	1152	WMIC.exe
Token: SeIncBasePriorityPrivilege	1152	WMIC.exe
Token: SeCreatePagefilePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeDebugPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeRemoteShutdownPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe
Token: 33	1152	WMIC.exe
Token: 34	1152	WMIC.exe
Token: 35	1152	WMIC.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1152	WMIC.exe
Token: SeSecurityPrivilege	1152	WMIC.exe
Token: SeTakeOwnershipPrivilege	1152	WMIC.exe
Token: SeLoadDriverPrivilege	1152	WMIC.exe
Token: SeSystemProfilePrivilege	1152	WMIC.exe
Token: SeSystemtimePrivilege	1152	WMIC.exe
Token: SeProfSingleProcessPrivilege	1152	WMIC.exe
Token: SeIncBasePriorityPrivilege	1152	WMIC.exe
Token: SeCreatePagefilePrivilege	1152	WMIC.exe
Token: SeBackupPrivilege	1152	WMIC.exe
Token: SeRestorePrivilege	1152	WMIC.exe
Token: SeShutdownPrivilege	1152	WMIC.exe
Token: SeDebugPrivilege	1152	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1152	WMIC.exe
Token: SeRemoteShutdownPrivilege	1152	WMIC.exe
Token: SeUndockPrivilege	1152	WMIC.exe
Token: SeManageVolumePrivilege	1152	WMIC.exe
Token: 33	1152	WMIC.exe
Token: 34	1152	WMIC.exe
Token: 35	1152	WMIC.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

java.exejavaw.exe

pid process

328 java.exe
1668 javaw.exe

pid	process
328	java.exe
1668	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exewscript.exejavaw.exejava.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 280 wrote to memory of 1216	280	java.exe	wscript.exe
PID 280 wrote to memory of 1216	280	java.exe	wscript.exe
PID 280 wrote to memory of 1216	280	java.exe	wscript.exe
PID 1216 wrote to memory of 1292	1216	wscript.exe	regedit.exe
PID 1216 wrote to memory of 1292	1216	wscript.exe	regedit.exe
PID 1216 wrote to memory of 1292	1216	wscript.exe	regedit.exe
PID 1216 wrote to memory of 1668	1216	wscript.exe	javaw.exe
PID 1216 wrote to memory of 1668	1216	wscript.exe	javaw.exe
PID 1216 wrote to memory of 1668	1216	wscript.exe	javaw.exe
PID 1668 wrote to memory of 328	1668	javaw.exe	java.exe
PID 1668 wrote to memory of 328	1668	javaw.exe	java.exe
PID 1668 wrote to memory of 328	1668	javaw.exe	java.exe
PID 1668 wrote to memory of 1680	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 1680	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 1680	1668	javaw.exe	cmd.exe
PID 328 wrote to memory of 1592	328	java.exe	cmd.exe
PID 328 wrote to memory of 1592	328	java.exe	cmd.exe
PID 328 wrote to memory of 1592	328	java.exe	cmd.exe
PID 1592 wrote to memory of 1520	1592	cmd.exe	cscript.exe
PID 1592 wrote to memory of 1520	1592	cmd.exe	cscript.exe
PID 1592 wrote to memory of 1520	1592	cmd.exe	cscript.exe
PID 1680 wrote to memory of 1732	1680	cmd.exe	cscript.exe
PID 1680 wrote to memory of 1732	1680	cmd.exe	cscript.exe
PID 1680 wrote to memory of 1732	1680	cmd.exe	cscript.exe
PID 1668 wrote to memory of 944	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 944	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 944	1668	javaw.exe	cmd.exe
PID 328 wrote to memory of 1504	328	java.exe	cmd.exe
PID 328 wrote to memory of 1504	328	java.exe	cmd.exe
PID 328 wrote to memory of 1504	328	java.exe	cmd.exe
PID 944 wrote to memory of 2032	944	cmd.exe	cscript.exe
PID 944 wrote to memory of 2032	944	cmd.exe	cscript.exe
PID 944 wrote to memory of 2032	944	cmd.exe	cscript.exe
PID 1504 wrote to memory of 816	1504	cmd.exe	cscript.exe
PID 1504 wrote to memory of 816	1504	cmd.exe	cscript.exe
PID 1504 wrote to memory of 816	1504	cmd.exe	cscript.exe
PID 1668 wrote to memory of 1600	1668	javaw.exe	xcopy.exe
PID 1668 wrote to memory of 1600	1668	javaw.exe	xcopy.exe
PID 1668 wrote to memory of 1600	1668	javaw.exe	xcopy.exe
PID 328 wrote to memory of 1804	328	java.exe	xcopy.exe
PID 328 wrote to memory of 1804	328	java.exe	xcopy.exe
PID 328 wrote to memory of 1804	328	java.exe	xcopy.exe
PID 1668 wrote to memory of 1232	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 1232	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 1232	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 1004	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1004	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1004	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 888	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 888	1668	javaw.exe	cmd.exe
PID 1668 wrote to memory of 888	1668	javaw.exe	cmd.exe
PID 888 wrote to memory of 276	888	cmd.exe	regedit.exe
PID 888 wrote to memory of 276	888	cmd.exe	regedit.exe
PID 888 wrote to memory of 276	888	cmd.exe	regedit.exe
PID 1668 wrote to memory of 1484	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1484	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1484	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1524	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1524	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1524	1668	javaw.exe	taskkill.exe
PID 1668 wrote to memory of 1152	1668	javaw.exe	WMIC.exe
PID 1668 wrote to memory of 1152	1668	javaw.exe	WMIC.exe
PID 1668 wrote to memory of 1152	1668	javaw.exe	WMIC.exe
PID 1668 wrote to memory of 276	1668	javaw.exe	taskkill.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\5.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:280
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\zfbgeiosgd.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Windows\regedit.exe
    "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1292
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\mlhldoz.txt"
    3⤵
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.80700165996177161588642018085006135.class
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive188636671462478662.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive188636671462478662.vbs
        6⤵
        
        PID:1520
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7118572103185453824.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7118572103185453824.vbs
        6⤵
        
        PID:816
    - - C:\Windows\system32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:1804
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3684817768481390866.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1680
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3684817768481390866.vbs
        5⤵
        
        PID:1732
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6268613086092123034.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6268613086092123034.vbs
        5⤵
        
        PID:2032
  - - C:\Windows\system32\xcopy.exe
      xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:1600
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:1232
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM ProcessHacker.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1004
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\hLQZEIYMQH8189839736136987058.reg
      4⤵
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\regedit.exe
        
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\hLQZEIYMQH8189839736136987058.reg
        5⤵
        Runs .reg file with regedit
        
        PID:276
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM procexp.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM MSASCui.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM MsMpEng.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:276
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM MpUXSrv.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1664
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM MpCmdRun.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:428
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM NisSrv.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:960

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Retrive188636671462478662.vbs

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive3684817768481390866.vbs

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive6268613086092123034.vbs

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive7118572103185453824.vbs

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.80700165996177161588642018085006135.class

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg

MD5
0e5411d7ecba9a435afda71c6c39d8fd

SHA1
2d6812052bf7be1b5e213e1d813ae39faa07284c

SHA256
cb68d50df5817e51ec5b2f72893dc4c749bf3504519107e0a78dda84d55f09e2

SHA512
903ac6e5c8a12607af267b54bcbbedfa5542c5b4f7ea289ab7c6a32a424d5b846ae406d830cb4ad48e2b46f92c504163c0856af8c3e09685a8855f39f616ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hLQZEIYMQH8189839736136987058.reg

MD5
867b59911af96958b890524cd9002132

SHA1
c8608b295945ac0ad6bd0a7c4ce04579494da971

SHA256
ed7fd6c48c814d80dcb80d36c3ee8686e48979bec7a289b2612d4ef71f59756c

SHA512
7e5c03ded713eec2e1b268e09f9777a8cb2f6868bb25941a3a008cba91551e36dc28275352af5211151aa78e2c8b3c8347ba8044b31f29c3718c4e5a70fe742c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2455352368-1077083310-2879168483-1000\83aa4cc77f591dfc2374580bbd95f6ba_14c10c19-3a0b-4ef0-8928-af871cb14c00

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\mlhldoz.txt

MD5
5386ab97e1f8e6d079eba23149de7e47

SHA1
341fe0494f31c6af8cf7690fa02dacd1c21907f2

SHA256
85011ef9bc53b6d692e1e4cea0ba0a99dce82a53f3b0710c34b042a335150bb4

SHA512
db4d391a2b49adedcba61a077a795a3f5c14441fdd76a6848df2c0a1a505178097ae1facdef2de844dbd826b7b20d767131e1b963bb6f273a7f4eed31ec570d3

Download Submit
C:\Users\Admin\zfbgeiosgd.js

MD5
a5011c0d79c897d84526c43e6c48c5c5

SHA1
51c4825a5ae17ffffae32dee5b7cf42b51cf20a2

SHA256
094ddd437277579bf1c6d593ce40012222d8cea094159081cb9d8dc28a928b5a

SHA512
77a6ab5890d2890241cd1fd2ae6316aee8458387ff4ad04f88c3407a386c8639199d32119b88b92f85b94bc4a05d8a9bdcb97a2bf2e8b3089a2c9aeb839cd5e8

Download Submit
\Users\Admin\AppData\Local\Temp\Windows6167863714974675288.dll

MD5
0ad1fc3ddb524c21c9b31cbe3fd57780

SHA1
70fef487a61944ef9ce9399a83e7be84f6cad58f

SHA256
7da7e2e66b5b79123f9d731d60be76787b6374681e614099f18571a4c4463798

SHA512
62e038824bbb30da6449ac15ed5309aef32a06161acf22d55e02adb998e1705eb293b78a91600552fcc178b9d711fb94eca0d6e78593ad174a14f7fc76f3da18

Download Submit
memory/276-102-0x0000000000000000-mapping.dmp

Download
memory/276-115-0x0000000000000000-mapping.dmp

Download
memory/280-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/280-61-0x0000000002250000-0x00000000024C0000-memory.dmp

Filesize
2.4MB

Download
memory/280-60-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/328-73-0x0000000000000000-mapping.dmp

Download
memory/328-76-0x0000000002540000-0x00000000027B0000-memory.dmp

Filesize
2.4MB

Download
memory/328-78-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/328-95-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/428-119-0x0000000000000000-mapping.dmp

Download
memory/816-89-0x0000000000000000-mapping.dmp

Download
memory/888-101-0x0000000000000000-mapping.dmp

Download
memory/944-86-0x0000000000000000-mapping.dmp

Download
memory/960-125-0x0000000000000000-mapping.dmp

Download
memory/1004-100-0x0000000000000000-mapping.dmp

Download
memory/1152-109-0x0000000000000000-mapping.dmp

Download
memory/1216-62-0x0000000000000000-mapping.dmp

Download
memory/1232-97-0x0000000000000000-mapping.dmp

Download
memory/1292-67-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1292-65-0x0000000000000000-mapping.dmp

Download
memory/1484-106-0x0000000000000000-mapping.dmp

Download
memory/1504-87-0x0000000000000000-mapping.dmp

Download
memory/1520-82-0x0000000000000000-mapping.dmp

Download
memory/1524-108-0x0000000000000000-mapping.dmp

Download
memory/1592-81-0x0000000000000000-mapping.dmp

Download
memory/1600-92-0x0000000000000000-mapping.dmp

Download
memory/1664-118-0x0000000000000000-mapping.dmp

Download
memory/1668-105-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-94-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-72-0x0000000002100000-0x0000000002370000-memory.dmp

Filesize
2.4MB

Download
memory/1668-69-0x0000000000000000-mapping.dmp

Download
memory/1668-79-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-99-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-98-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-111-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-112-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-114-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1668-117-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1680-80-0x0000000000000000-mapping.dmp

Download
memory/1732-83-0x0000000000000000-mapping.dmp

Download
memory/1804-93-0x0000000000000000-mapping.dmp

Download
memory/2032-88-0x0000000000000000-mapping.dmp

Download