e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7v20210408
submitted
09-05-2021 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
Size

1.6MB
MD5

9b7eac5bd1fee50966a3b444ee80b342
SHA1

620bf8b1391c05126a59f9b04f54fb4fbe5d6036
SHA256

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44
SHA512

cdf632ed79ee1ad15c1c13d357596b8008fe7cb5b2b295237af6f4f3033ebabacc97973a447ce246f44430b6b8b5adff1a95905ec9f322e91d47b2ba92e1c3fe

Score

8^/10

macro persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exeSynaptics.exeTempSetup.exeTempSetup.exe~TSP_Dork_generator_v_15_0.exesvchost.exe

pid	process
1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
2032	Synaptics.exe
1828	TempSetup.exe
1132	TempSetup.exe
1732	~TSP_Dork_generator_v_15_0.exe
948	svchost.exe

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LFMMaEW8.xlsm	office_macros

Loads dropped DLL 3 IoCs

Processes:

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe

pid	process
784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exeTempSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel(R) Common Networking System = "C:\\Users\\Admin\\AppData\\Roaming\\Intel Corporation\\Intel(R) Common User Interface\\8.1.1.7900\\svchost.exe"	TempSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1224 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TempSetup.exeTempSetup.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1828 TempSetup.exe
Token: SeDebugPrivilege 1132 TempSetup.exe
Token: SeDebugPrivilege 948 svchost.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1224 EXCEL.EXE

pid	process
1224	EXCEL.EXE

description	pid	process
Token: SeDebugPrivilege	1828	TempSetup.exe
Token: SeDebugPrivilege	1132	TempSetup.exe
Token: SeDebugPrivilege	948	svchost.exe

pid	process
1224	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exeTempSetup.exe

description	pid	process	target process
PID 784 wrote to memory of 1424	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
PID 784 wrote to memory of 1424	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
PID 784 wrote to memory of 1424	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
PID 784 wrote to memory of 1424	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
PID 784 wrote to memory of 2032	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	Synaptics.exe
PID 784 wrote to memory of 2032	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	Synaptics.exe
PID 784 wrote to memory of 2032	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	Synaptics.exe
PID 784 wrote to memory of 2032	784	e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	Synaptics.exe
PID 1424 wrote to memory of 1828	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 1424 wrote to memory of 1828	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 1424 wrote to memory of 1828	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 1424 wrote to memory of 1132	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 1424 wrote to memory of 1132	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 1424 wrote to memory of 1132	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	TempSetup.exe
PID 1424 wrote to memory of 1732	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	~TSP_Dork_generator_v_15_0.exe
PID 1424 wrote to memory of 1732	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	~TSP_Dork_generator_v_15_0.exe
PID 1424 wrote to memory of 1732	1424	._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe	~TSP_Dork_generator_v_15_0.exe
PID 1132 wrote to memory of 948	1132	TempSetup.exe	svchost.exe
PID 1132 wrote to memory of 948	1132	TempSetup.exe	svchost.exe
PID 1132 wrote to memory of 948	1132	TempSetup.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
"C:\Users\Admin\AppData\Local\Temp\e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\TempSetup.exe
"C:\Users\Admin\AppData\Local\TempSetup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Users\Admin\AppData\Local\TempSetup.exe
"C:\Users\Admin\AppData\Local\TempSetup.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
"C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe
"C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe"
3⤵
- Executes dropped EXE
PID:1732

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Executes dropped EXE
PID:2032

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
MD5
15c37b29b6170fb154d18749115b94ec

SHA1
a7c1a1dcababa9fdc88c14cbdbbac1b7f33d4d3e

SHA256
86c9fd53c68f00b586fdc12c37596d427a06b2ac36081e5132486b3a5ae3bb54

SHA512
2b88231b43510700118d7a648e67df80bd87baf1b0432fafdaa517f271032ae4baf3b463ef52c950eff2e160840a43bb1a1df7bcc54313c64fb4e4dc97138622

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
MD5
15c37b29b6170fb154d18749115b94ec

SHA1
a7c1a1dcababa9fdc88c14cbdbbac1b7f33d4d3e

SHA256
86c9fd53c68f00b586fdc12c37596d427a06b2ac36081e5132486b3a5ae3bb54

SHA512
2b88231b43510700118d7a648e67df80bd87baf1b0432fafdaa517f271032ae4baf3b463ef52c950eff2e160840a43bb1a1df7bcc54313c64fb4e4dc97138622

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
1d26acfd119d4f1122588a421765ff3c

SHA1
2bc59f88356862633afaa75b26eb9d5febd9f9e9

SHA256
b999d0bde7c191f8897a9f5657c0c171320845669a2483e52df8ab09cf2d5421

SHA512
4da04e0cd1266c0a975319fadd16442093d01b72a074819913a398c0f85f8a4b54191c225455759cfa5d6ff5e133ebd415611c975b9af019eda15beff2c33dac

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
1d26acfd119d4f1122588a421765ff3c

SHA1
2bc59f88356862633afaa75b26eb9d5febd9f9e9

SHA256
b999d0bde7c191f8897a9f5657c0c171320845669a2483e52df8ab09cf2d5421

SHA512
4da04e0cd1266c0a975319fadd16442093d01b72a074819913a398c0f85f8a4b54191c225455759cfa5d6ff5e133ebd415611c975b9af019eda15beff2c33dac

Download Submit
C:\Users\Admin\AppData\Local\TempSetup.exe
MD5
1d26acfd119d4f1122588a421765ff3c

SHA1
2bc59f88356862633afaa75b26eb9d5febd9f9e9

SHA256
b999d0bde7c191f8897a9f5657c0c171320845669a2483e52df8ab09cf2d5421

SHA512
4da04e0cd1266c0a975319fadd16442093d01b72a074819913a398c0f85f8a4b54191c225455759cfa5d6ff5e133ebd415611c975b9af019eda15beff2c33dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
MD5
1e492acc3fada41dbade170550fa827f

SHA1
475f04705b725d445382988d6443a6490af93c17

SHA256
fb1e10eff8178b1fed9c14a4a76c3dd5736ba2879fd7f0160e485d931925c6d1

SHA512
475180ebd1057622f446b32e2a64541d2fec46897fd14a74cc27037f0102fe130418afd968929d7cf724ff7c109617c01080099f457eb6ec962fe2aa69a07dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
MD5
1e492acc3fada41dbade170550fa827f

SHA1
475f04705b725d445382988d6443a6490af93c17

SHA256
fb1e10eff8178b1fed9c14a4a76c3dd5736ba2879fd7f0160e485d931925c6d1

SHA512
475180ebd1057622f446b32e2a64541d2fec46897fd14a74cc27037f0102fe130418afd968929d7cf724ff7c109617c01080099f457eb6ec962fe2aa69a07dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFMMaEW8.xlsm
MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe
MD5
59e02b754902f1d61d67e386db256590

SHA1
0acf056d3a4ed2a02e4769914eb6bef050f6b7f1

SHA256
a97419010956d614699f565b4f8a78c34c184638a8ed03d83017c6db76da2806

SHA512
d356cc5e360ad0dfb0f39d5459209d60ce38102fbae2fd2fbed037b89af211b90dabe29087c2d5990a0ed40773c8ce2f6c1f8fff9d81349eecdbf775e29d3b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\~TSP_Dork_generator_v_15_0.exe
MD5
59e02b754902f1d61d67e386db256590

SHA1
0acf056d3a4ed2a02e4769914eb6bef050f6b7f1

SHA256
a97419010956d614699f565b4f8a78c34c184638a8ed03d83017c6db76da2806

SHA512
d356cc5e360ad0dfb0f39d5459209d60ce38102fbae2fd2fbed037b89af211b90dabe29087c2d5990a0ed40773c8ce2f6c1f8fff9d81349eecdbf775e29d3b88

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
MD5
248b2767cad501ee9927da00c80f3c26

SHA1
c948475d1b44a737370d9068312b0ee7c323ecb2

SHA256
5de29b1fd0d3452ede3264c156342c18115eb076138330eae8ab2b984c8e75fd

SHA512
e25341c8aedda93525cd79f6c52e45c4060e378bf42ac6ce3aefe15417daa081f410ac0f9f818edcbd95e1d555bef9472be37e7d73f30de05025990fd1850cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\svchost.exe
MD5
248b2767cad501ee9927da00c80f3c26

SHA1
c948475d1b44a737370d9068312b0ee7c323ecb2

SHA256
5de29b1fd0d3452ede3264c156342c18115eb076138330eae8ab2b984c8e75fd

SHA512
e25341c8aedda93525cd79f6c52e45c4060e378bf42ac6ce3aefe15417daa081f410ac0f9f818edcbd95e1d555bef9472be37e7d73f30de05025990fd1850cb8

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
15c37b29b6170fb154d18749115b94ec

SHA1
a7c1a1dcababa9fdc88c14cbdbbac1b7f33d4d3e

SHA256
86c9fd53c68f00b586fdc12c37596d427a06b2ac36081e5132486b3a5ae3bb54

SHA512
2b88231b43510700118d7a648e67df80bd87baf1b0432fafdaa517f271032ae4baf3b463ef52c950eff2e160840a43bb1a1df7bcc54313c64fb4e4dc97138622

Download Submit
\ProgramData\Synaptics\Synaptics.exe
MD5
15c37b29b6170fb154d18749115b94ec

SHA1
a7c1a1dcababa9fdc88c14cbdbbac1b7f33d4d3e

SHA256
86c9fd53c68f00b586fdc12c37596d427a06b2ac36081e5132486b3a5ae3bb54

SHA512
2b88231b43510700118d7a648e67df80bd87baf1b0432fafdaa517f271032ae4baf3b463ef52c950eff2e160840a43bb1a1df7bcc54313c64fb4e4dc97138622

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_e03a774e6c8c69da4c1924626d42581376d13f63e4b0600d926bec8f083aac44.exe
MD5
1e492acc3fada41dbade170550fa827f

SHA1
475f04705b725d445382988d6443a6490af93c17

SHA256
fb1e10eff8178b1fed9c14a4a76c3dd5736ba2879fd7f0160e485d931925c6d1

SHA512
475180ebd1057622f446b32e2a64541d2fec46897fd14a74cc27037f0102fe130418afd968929d7cf724ff7c109617c01080099f457eb6ec962fe2aa69a07dec

Download Submit
memory/784-60-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/784-61-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/948-102-0x00000000020E6000-0x0000000002105000-memory.dmp

Filesize
124KB

Download
memory/948-97-0x0000000000000000-mapping.dmp

Download
memory/948-100-0x000007FEE9810000-0x000007FEEA8A6000-memory.dmp

Filesize
16.6MB

Download
memory/948-101-0x00000000020E0000-0x00000000020E2000-memory.dmp

Filesize
8KB

Download
memory/1132-83-0x0000000000130000-0x0000000000132000-memory.dmp

Filesize
8KB

Download
memory/1132-76-0x0000000000000000-mapping.dmp

Download
memory/1132-78-0x000007FEF2220000-0x000007FEF32B6000-memory.dmp

Filesize
16.6MB

Download
memory/1132-95-0x0000000000136000-0x0000000000155000-memory.dmp

Filesize
124KB

Download
memory/1224-82-0x000000002F991000-0x000000002F994000-memory.dmp

Filesize
12KB

Download
memory/1224-84-0x0000000071091000-0x0000000071093000-memory.dmp

Filesize
8KB

Download
memory/1224-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1424-71-0x00000000020B0000-0x00000000020B2000-memory.dmp

Filesize
8KB

Download
memory/1424-80-0x000007FEF2220000-0x000007FEF32B6000-memory.dmp

Filesize
16.6MB

Download
memory/1424-63-0x0000000000000000-mapping.dmp

Download
memory/1732-88-0x0000000000000000-mapping.dmp

Download
memory/1732-91-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1732-93-0x000000001B170000-0x000000001B172000-memory.dmp

Filesize
8KB

Download
memory/1732-96-0x000000001B176000-0x000000001B195000-memory.dmp

Filesize
124KB

Download
memory/1828-94-0x00000000004E6000-0x0000000000505000-memory.dmp

Filesize
124KB

Download
memory/1828-79-0x000007FEF2220000-0x000007FEF32B6000-memory.dmp

Filesize
16.6MB

Download
memory/1828-81-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/1828-73-0x0000000000000000-mapping.dmp

Download
memory/2032-72-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2032-68-0x0000000000000000-mapping.dmp

Download