Overview

overview

10

Static

static

5

1b94ce5e3f...bd.exe

windows7_x64

10

1b94ce5e3f...bd.exe

windows10_x64

10

3be0e1472a...c1.exe

windows7_x64

10

3be0e1472a...c1.exe

windows10_x64

10

4f9036848d...2c.exe

windows7_x64

10

4f9036848d...2c.exe

windows10_x64

10

d33647e9d0...5a.exe

windows7_x64

10

d33647e9d0...5a.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    01-06-2021 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe

  • Size

    3.8MB

  • MD5

    9094886e98dfabe1e5ad8489e08069e2

  • SHA1

    69120139b6195741210d89e963538014190bfa8e

  • SHA256

    4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c

  • SHA512

    ccef13646bceaf423db355743b0213d834520ea5091fe46acc95deb794b59695703161a782a7cf24707cdfa28696333f2218202a9bec7c351d34686cce67f337

Score
10/10
betabotvjw0rmbackdoorbotnetdiscoveryevasionpersistencespywaretrojanworm

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • Blocklisted process makes network request 6 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Sets file execution options in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 7 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 16 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious behavior: MapViewOfSection 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe
    "C:\Users\Admin\AppData\Local\Temp\4f9036848d0379bbfa74759957a24b6338568baa494d90fe671c1f71d8c0d12c.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Windows\AcrobatDC.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:420
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 30 /tn Skype /tr "C:\Windows\AcrobatDC.js
        3⤵
        • Creates scheduled task(s)
        PID:3516
    • C:\Windows\amtemu.exe
      "C:\Windows\amtemu.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FB04.tmp\start.bat" C:\Windows\amtemu.exe"
        3⤵
        • Checks whether UAC is enabled
        • Maps connected drives based on registry
        • Suspicious use of WriteProcessMemory
        PID:1632
        • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe
          key.exe
          4⤵
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Maps connected drives based on registry
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:3844
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytmp\t7747.bat" "C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe" "
            5⤵
            • Drops file in Drivers directory
            • Checks whether UAC is enabled
            • Maps connected drives based on registry
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of WriteProcessMemory
            PID:2192
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h C:\Users\Admin\AppData\Local\Temp\ytmp
              6⤵
              • Views/modifies file attributes
              PID:1972
            • C:\Windows\SysWOW64\find.exe
              FIND /C /I "0.0.0.0 cracksmind.com" C:\Windows\system32\drivers\etc\hosts
              6⤵
                PID:296
              • C:\Windows\SysWOW64\find.exe
                FIND /C /I "0.0.0.0 www.cracksmind.com" C:\Windows\system32\drivers\etc\hosts
                6⤵
                  PID:1296
                • C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
                  C:\Users\Admin\AppData\Local\Temp\afolder/data.dat
                  6⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Adds Run key to start application
                  • Checks whether UAC is enabled
                  • Maps connected drives based on registry
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:2812
            • C:\Windows\SysWOW64\timeout.exe
              TIMEOUT /T 1
              4⤵
              • Delays execution with timeout.exe
              PID:1296
            • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
              Microsoft.VisualStudio.Package.LanguageService.11.0.exe
              4⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1640
              • C:\Windows\SysWOW64\Wbem\wmic.exe
                "wmic" os get Caption /format:list
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:812
            • C:\Windows\SysWOW64\timeout.exe
              TIMEOUT /T 2
              4⤵
              • Delays execution with timeout.exe
              PID:3400
            • C:\Windows\SysWOW64\timeout.exe
              TIMEOUT /T 3
              4⤵
              • Delays execution with timeout.exe
              PID:4264
            • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
              bb.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4248
              • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
                "C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe"
                5⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Checks processor information in registry
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4296
                • C:\Windows\SysWOW64\explorer.exe
                  C:\Windows\SysWOW64\explorer.exe
                  6⤵
                  • Modifies firewall policy service
                  • Checks BIOS information in registry
                  • Adds Run key to start application
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Checks processor information in registry
                  • Enumerates system info in registry
                  • Modifies Internet Explorer Protected Mode
                  • Modifies Internet Explorer Protected Mode Banner
                  • Modifies Internet Explorer settings
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4368
            • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe
              puttty.exe
              4⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Maps connected drives based on registry
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4440
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                dw20.exe -x -s 2376
                5⤵
                • Maps connected drives based on registry
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:4832
            • C:\Windows\SysWOW64\timeout.exe
              TIMEOUT /T 4
              4⤵
              • Delays execution with timeout.exe
              PID:4456
            • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe
              ereds.exe
              4⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Maps connected drives based on registry
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:4692
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
                dw20.exe -x -s 1536
                5⤵
                • Maps connected drives based on registry
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                PID:1296

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      2
      T1060

      Scheduled Task

      1
      T1053

      Hidden Files and Directories

      1
      T1158

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      6
      T1112

      Hidden Files and Directories

      1
      T1158

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      5
      T1012

      System Information Discovery

      6
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
        MD5

        89158e00639d9ef6ee9337b4f19e74f4

        SHA1

        dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8

        SHA256

        9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d

        SHA512

        c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\Microsoft.VisualStudio.Package.LanguageService.11.0.exe
        MD5

        89158e00639d9ef6ee9337b4f19e74f4

        SHA1

        dc0f6e9025c284b3071dbfc6f1a8b8c0c639fce8

        SHA256

        9f46c479aacf5bb3810ab29c4f2950c34902aaf864bccd844f54d121a75d0b1d

        SHA512

        c23832cd017aa36dca87308aa0cbc5a3c710e34ba46bd5f689031740d235537c9d226b1de57bcc8823236959561ada368789a6cf5a49a4cbe7ee1781af366add

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
        MD5

        347d7700eb4a4537df6bb7492ca21702

        SHA1

        983189dab4b523e19f8efd35eee4d7d43d84aca2

        SHA256

        a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8

        SHA512

        5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
        MD5

        347d7700eb4a4537df6bb7492ca21702

        SHA1

        983189dab4b523e19f8efd35eee4d7d43d84aca2

        SHA256

        a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8

        SHA512

        5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\bb.exe
        MD5

        347d7700eb4a4537df6bb7492ca21702

        SHA1

        983189dab4b523e19f8efd35eee4d7d43d84aca2

        SHA256

        a9963808a1a358d6ee26ab88bdab4add50512de1a863aa79937815444ee64da8

        SHA512

        5efb1bce5b5fe74c886126c7bf3627628842a73d31550aee61b71e462b0cc4256b07ae2dc8c207917c5e134c15b8b1d5f3bbbd76724a9b12188f32ba48c25ac9

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe
        MD5

        767d99623569552123fb197eead28fca

        SHA1

        9f1016e3cce207c6ed707482104ea3ee9034accf

        SHA256

        83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145

        SHA512

        897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\ereds.exe
        MD5

        767d99623569552123fb197eead28fca

        SHA1

        9f1016e3cce207c6ed707482104ea3ee9034accf

        SHA256

        83340560b73a536090d42341628d6d1f966f437dc8462a6d69f993dc7f17e145

        SHA512

        897fa44f7b939557434155df170694269d1b9d575f28dff1d930a6b98b04d96fc002ab1921a8723ded5ae4e009dde3d18ce5d819ff1f471f14cadaa39386f36c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe
        MD5

        4d50c264c22fd1047a8a3bd8b77b3bd1

        SHA1

        007d3a3b116834e1ef181397dde48108a660a380

        SHA256

        2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45

        SHA512

        8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\key.exe
        MD5

        4d50c264c22fd1047a8a3bd8b77b3bd1

        SHA1

        007d3a3b116834e1ef181397dde48108a660a380

        SHA256

        2f6c41716ddd86a9316a24074747286e9e1a033780b82ef3ce47f5d821655c45

        SHA512

        8f8c56e8c0a1c4f9b10332139b48e4709890c29073dd47e67f460e8f9453150b89947a4fe83974474861a47c99b2749fecc262fb7ffb080854b0e7724078b5a7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe
        MD5

        8a40892abb22c314d13d30923f9b96c8

        SHA1

        ff6807c0e8454101746b57fd8cc22105b6d98100

        SHA256

        ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8

        SHA512

        8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\puttty.exe
        MD5

        8a40892abb22c314d13d30923f9b96c8

        SHA1

        ff6807c0e8454101746b57fd8cc22105b6d98100

        SHA256

        ee59ca12eb0a166e08f2fae9f6bb818496b9172b4bc11d22b47d184f72b6aae8

        SHA512

        8a2bfd6e49262f0a68a5ab7c7385d30a2f2ed150f641d00b8bf1c9817d2d23151a6b1ac13c2aece4c93fee78d6c3dc3480cc70b67b9a344063891f3e0f4f5f5b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FB04.tmp\start.bat
        MD5

        f96458f7f2a09565f4b715dba1279633

        SHA1

        86e808b7a0d46dcce31c2257f694d57f1391da9e

        SHA256

        e44b8c63fd1af7398baf56956f1bb67ee6da398df848451efaef980ad36fbc79

        SHA512

        8da2ce25b5cbf12bb150d7078dbb51423f90039de5bdc05c7d652518af992a6607f989615ae08d710d6f7e37913b9bfc7b5e218d8c530e0aa377dc07c397cd78

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\afolder\data.dat
        MD5

        8abdc20f619641e29aa9ad2b999a0dcc

        SHA1

        caad125358d2ae6d217e74cfcd175ac81c43c729

        SHA256

        cdc95d0113a2af05c2e70fab23f6c218ae583ebcb47077dd5b705a476f9d6b96

        SHA512

        90999eb0bcb76a3d21e63565e332f1ac8a6fbc1e3dfe147c4ba2b5f8c542e21da3a43df9f5074eb7f7107e0e66d48e21cedda568fa1960502645f1b358d1550e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\ytmp\t7747.bat
        MD5

        7924b9cf2a621e979dfbdecc7abc5b8b

        SHA1

        1477d9c23f7e42bfb4121f2c59bb7cdd9ba34c78

        SHA256

        06db46f2d9ba954de03cda1ef98e2f4a014e699db40311364a21a5a46453fe80

        SHA512

        dec6089bc2f912b6364409bda5c709453745af2cf410728abed071040fe009aea8941efdb8673eb0ae53c81396cbcfbc04077b582913a342db3cc5ae2c695d65

        Download Submit
      • C:\Windows\AcrobatDC.js
        MD5

        9369231125c086e3761ec5238ce71020

        SHA1

        e92d312f660e360a460b9eb182ea68a2f5068f95

        SHA256

        600b88a21f553bd0e719af4601bde53de7bd7e7e09dfe56032f88ac54e34d58f

        SHA512

        57874d89812731a5daf656965c7ed86b37143265f53a5bad27716d12b38bc675d4fd31d3e360fc744d5d868483033bd0a514fca94afac7ee6ce3a2277a166ce4

        Download Submit
      • C:\Windows\amtemu.exe
        MD5

        88124e4aba906259af28a466774431ea

        SHA1

        fbc1c27e0d7177238ec99481ffa7d839d1f51594

        SHA256

        1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd

        SHA512

        cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d

        Download Submit
      • C:\Windows\amtemu.exe
        MD5

        88124e4aba906259af28a466774431ea

        SHA1

        fbc1c27e0d7177238ec99481ffa7d839d1f51594

        SHA256

        1b94ce5e3fb24f02cd970bf09031482d4e2bafebcaafc3f477a735d483e13dbd

        SHA512

        cdc0af6ea2686d35e4a77f4eb802ba9e41819b052253071a397601bec4d6232e5351d21b5d8ab4644e9f6ffd67057ec8c6f2db8605b429afcdf7b3ecd8005e2d

        Download Submit
      • C:\Windows\system32\drivers\etc\hosts
        MD5

        336e4a90c6f8fa6b544a19457d63b7ed

        SHA1

        1b99a8bfd814f281f27aeb36be1fe06df454ef4a

        SHA256

        598fddabcebbe5fc537eb617892aa9adab061e3cd61c55c1c6d4da80e460a4d4

        SHA512

        b9f9cae77a2c54e1f7ac363d120d2c3ef79891dbde70dc2a9445b6bf801487688285b7fc72fbdbcb868b6c34234885e4e9b558bd05518ac4d6d843398895c690

        Download Submit
      • \Users\Admin\AppData\Local\Temp\spc_player.dll
        MD5

        41afbf49ba7f6ee164f31faa2cd38e15

        SHA1

        4a9aeebf6e2a3c459629662b4e3d72fe210da63f

        SHA256

        50d30b7aa7b9858f91f33165314c7cf7f2acc97157091676c7e7925e018fd387

        SHA512

        a323705e7e286f2e1cb821cccf1f24812020ef1b788f51e13176afaa04cb008899a32270bad7757204cbf9fce1a9887071fa84d353af2e5a667cba003c7f1efe

        Download Submit
      • memory/296-134-0x0000000000000000-mapping.dmp
        Download
      • memory/420-114-0x0000000000000000-mapping.dmp
        Download
      • memory/812-140-0x0000000000000000-mapping.dmp
        Download
      • memory/1296-136-0x0000000000000000-mapping.dmp
        Download
      • memory/1296-124-0x0000000000000000-mapping.dmp
        Download
      • memory/1296-203-0x0000000000000000-mapping.dmp
        Download
      • memory/1296-204-0x0000000005910000-0x0000000005A12000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1632-120-0x0000000000000000-mapping.dmp
        Download
      • memory/1632-184-0x00000000039C0000-0x0000000003AC2000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1632-186-0x00000000055C0000-0x00000000055C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1640-141-0x00000000073B0000-0x00000000073B1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1640-177-0x00000000079C0000-0x0000000007AC2000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1640-146-0x0000000007780000-0x0000000007781000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1640-142-0x00000000073B3000-0x00000000073B5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1640-126-0x0000000000000000-mapping.dmp
        Download
      • memory/1640-133-0x00000000008A0000-0x00000000008A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1640-155-0x00000000073B5000-0x00000000073B6000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1784-188-0x0000000003170000-0x0000000003272000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1784-116-0x0000000000000000-mapping.dmp
        Download
      • memory/1972-132-0x0000000000000000-mapping.dmp
        Download
      • memory/2192-128-0x0000000000000000-mapping.dmp
        Download
      • memory/2192-200-0x0000000003D10000-0x0000000003E12000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2812-144-0x00000000023A0000-0x00000000023A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2812-145-0x0000000074BC0000-0x0000000074BC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2812-143-0x0000000077490000-0x0000000077491000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2812-174-0x0000000004840000-0x0000000004942000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2812-176-0x0000000003100000-0x0000000003101000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2812-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3400-129-0x0000000000000000-mapping.dmp
        Download
      • memory/3516-119-0x0000000000000000-mapping.dmp
        Download
      • memory/3844-197-0x0000000003AF0000-0x0000000003BF2000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3844-122-0x0000000000000000-mapping.dmp
        Download
      • memory/4248-148-0x0000000000000000-mapping.dmp
        Download
      • memory/4264-150-0x0000000000000000-mapping.dmp
        Download
      • memory/4296-160-0x0000000000B00000-0x0000000000B0C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/4296-152-0x0000000000400000-0x0000000000435000-memory.dmp
        Filesize

        212KB

        Download
      • memory/4296-153-0x00000000004015C6-mapping.dmp
        Download
      • memory/4296-156-0x0000000000400000-0x0000000000435000-memory.dmp
        Filesize

        212KB

        Download
      • memory/4296-157-0x00000000006D0000-0x0000000000736000-memory.dmp
        Filesize

        408KB

        Download
      • memory/4296-158-0x0000000000440000-0x000000000058A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4296-159-0x0000000000740000-0x0000000000741000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-189-0x0000000004B50000-0x0000000004CDE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4368-164-0x0000000002C50000-0x0000000002C5D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/4368-161-0x0000000000000000-mapping.dmp
        Download
      • memory/4368-162-0x0000000000380000-0x00000000007BF000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/4368-167-0x0000000004B30000-0x0000000004B31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4368-163-0x0000000003000000-0x0000000003102000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4440-181-0x0000000005160000-0x0000000005262000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4440-169-0x0000000000000000-mapping.dmp
        Download
      • memory/4440-173-0x0000000000EB0000-0x0000000000F5E000-memory.dmp
        Filesize

        696KB

        Download
      • memory/4456-171-0x0000000000000000-mapping.dmp
        Download
      • memory/4692-191-0x0000000005920000-0x0000000005A22000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4692-178-0x0000000000000000-mapping.dmp
        Download
      • memory/4692-187-0x0000000002530000-0x0000000002531000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4832-194-0x0000000005910000-0x0000000005A12000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/4832-190-0x0000000000000000-mapping.dmp
        Download