96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
08-05-2021 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
Size

890KB
MD5

51025f3d42b690286b2e29da8f93321b
SHA1

6799648b3980ef4bc8d9be2782dc3e25ac1140aa
SHA256

96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085
SHA512

71a431509863a3c213d84ffc655ce60cb4d5992da57a7683922c35406c09f81b394ac3b8860ca299acd75a3aeabcb4f42aa70d55ff3b9e814ae3edd069a01eae

Score

8^/10

agilenet macro persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exeSynaptics.exe

pid process

1416 ._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
1972 Synaptics.exe

pid	process
1416	._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
1972	Synaptics.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kYqmZljx.xlsm	office_macros

Loads dropped DLL 4 IoCs

Processes:

96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe

pid	process
1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
1416	._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	agile_net
C:\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Synaptics.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1460 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe

description pid process

Token: SeDebugPrivilege 1416 ._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1460 EXCEL.EXE

pid	process
1460	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1416	._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe

pid	process
1460	EXCEL.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe

description	pid	process	target process
PID 1104 wrote to memory of 1416	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
PID 1104 wrote to memory of 1416	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
PID 1104 wrote to memory of 1416	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
PID 1104 wrote to memory of 1416	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
PID 1104 wrote to memory of 1972	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	Synaptics.exe
PID 1104 wrote to memory of 1972	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	Synaptics.exe
PID 1104 wrote to memory of 1972	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	Synaptics.exe
PID 1104 wrote to memory of 1972	1104	96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
"C:\Users\Admin\AppData\Local\Temp\96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1972

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
cf164330da0dde9201f74ebe2b580d3f

SHA1
2299e06512e6a849cc1765964e7c0cc26f6b188c

SHA256
3235b73709f9eae9b2ea5044a0e11f64a4612a02efb9e618eaf390c2a3edecbc

SHA512
ddd150ba9eb719fac7db15845b35686cff38b2f095fc20d0d48e74f67910ecaf5f36d6a89330efcf59b8e2e42c0c6abdf9b61baf7a52c3892e407baf189a7757

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
cf164330da0dde9201f74ebe2b580d3f

SHA1
2299e06512e6a849cc1765964e7c0cc26f6b188c

SHA256
3235b73709f9eae9b2ea5044a0e11f64a4612a02efb9e618eaf390c2a3edecbc

SHA512
ddd150ba9eb719fac7db15845b35686cff38b2f095fc20d0d48e74f67910ecaf5f36d6a89330efcf59b8e2e42c0c6abdf9b61baf7a52c3892e407baf189a7757

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
MD5
e91404b6e53345367cd2d5edc40203b8

SHA1
1dde45c00a6135138c0fce705067cc3edfea608e

SHA256
88aa19114d0814d8b375af8143a45ab64715abf9a55b1892443a234e836f4c1c

SHA512
db7c76570f5762c197dc3c91f6f795a16f76905151ecfd9e14001ea2db9cd6cf7f399751f6c255ef901f89666949fef506e006d15997617638fa4c4459ce3db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
MD5
e91404b6e53345367cd2d5edc40203b8

SHA1
1dde45c00a6135138c0fce705067cc3edfea608e

SHA256
88aa19114d0814d8b375af8143a45ab64715abf9a55b1892443a234e836f4c1c

SHA512
db7c76570f5762c197dc3c91f6f795a16f76905151ecfd9e14001ea2db9cd6cf7f399751f6c255ef901f89666949fef506e006d15997617638fa4c4459ce3db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYqmZljx.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
cf164330da0dde9201f74ebe2b580d3f

SHA1
2299e06512e6a849cc1765964e7c0cc26f6b188c

SHA256
3235b73709f9eae9b2ea5044a0e11f64a4612a02efb9e618eaf390c2a3edecbc

SHA512
ddd150ba9eb719fac7db15845b35686cff38b2f095fc20d0d48e74f67910ecaf5f36d6a89330efcf59b8e2e42c0c6abdf9b61baf7a52c3892e407baf189a7757

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
cf164330da0dde9201f74ebe2b580d3f

SHA1
2299e06512e6a849cc1765964e7c0cc26f6b188c

SHA256
3235b73709f9eae9b2ea5044a0e11f64a4612a02efb9e618eaf390c2a3edecbc

SHA512
ddd150ba9eb719fac7db15845b35686cff38b2f095fc20d0d48e74f67910ecaf5f36d6a89330efcf59b8e2e42c0c6abdf9b61baf7a52c3892e407baf189a7757

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_96fac88bb0db406c095198adf3e941a54eb793c9e58c977fb6377f7663c6e085.exe
MD5
e91404b6e53345367cd2d5edc40203b8

SHA1
1dde45c00a6135138c0fce705067cc3edfea608e

SHA256
88aa19114d0814d8b375af8143a45ab64715abf9a55b1892443a234e836f4c1c

SHA512
db7c76570f5762c197dc3c91f6f795a16f76905151ecfd9e14001ea2db9cd6cf7f399751f6c255ef901f89666949fef506e006d15997617638fa4c4459ce3db4

Download Submit
\Users\Admin\AppData\Local\Temp\1fcdf82f-2378-45b9-8de9-b908d205f0cd\AgileDotNetRT.dll
MD5
14ff402962ad21b78ae0b4c43cd1f194

SHA1
f8a510eb26666e875a5bdd1cadad40602763ad72

SHA256
fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b

SHA512
daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b

Download Submit
memory/1104-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmp

Filesize
8KB

Download
memory/1416-69-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1416-75-0x00000000756B0000-0x0000000075730000-memory.dmp

Filesize
512KB

Download
memory/1416-78-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1416-63-0x0000000000000000-mapping.dmp

Download
memory/1460-76-0x000000002F861000-0x000000002F864000-memory.dmp

Filesize
12KB

Download
memory/1460-77-0x000000006DC31000-0x000000006DC33000-memory.dmp

Filesize
8KB

Download
memory/1460-79-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1972-73-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1972-68-0x0000000000000000-mapping.dmp

Download