6d4e6d54d7fb566e6887ce79f7d65c151b3092260cc7fef21dc60d46a265b4ff

Analysis

max time kernel
125s
max time network
116s
platform
windows10_x64
resource
win10v20210410
submitted
21-06-2021 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88f2cada2e0243ba55d434a87a204265.exe
Size

1.1MB
MD5

88f2cada2e0243ba55d434a87a204265
SHA1

7ca8b579078e01f561ca8a1b5879c1380d220737
SHA256

6d4e6d54d7fb566e6887ce79f7d65c151b3092260cc7fef21dc60d46a265b4ff
SHA512

ee94319550af8d7c833b68aae939cfdae7bc82462d2ce400670b346c47ca83b590705b3ae60e50aeeccb9f5e6286ea3b35711c3a13da5a339d41a49627bc5eb8

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

14 3996 rundll32.exe
17 3564 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3996 rundll32.exe
3564 rundll32.exe
3564 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3564 set thread context of 3864 3564 rundll32.exe rundll32.exe
Drops file in Program Files directory 2 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\PROGRA~3\lauvhfdchyoek\Sfnth.tmp rundll32.exe
File created C:\PROGRA~3\lauvhfdchyoek\jhakldcgpv.tmp rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
14	3996	rundll32.exe
17	3564	rundll32.exe

pid	process
3996	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe

description	pid	process	target process
PID 3564 set thread context of 3864	3564	rundll32.exe	rundll32.exe

description	ioc	process
File created	C:\PROGRA~3\lauvhfdchyoek\Sfnth.tmp	rundll32.exe
File created	C:\PROGRA~3\lauvhfdchyoek\jhakldcgpv.tmp	rundll32.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E25DD2FF83D51C156D3472599365D2F951DC24F3	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E25DD2FF83D51C156D3472599365D2F951DC24F3\Blob = 030000000100000014000000e25dd2ff83d51c156d3472599365d2f951dc24f320000000010000007d02000030820279308201e2a003020102020851f534532ca60a34300d06092a864886f70d01010b050030623121301f06035504030c1844693867694365727420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3139303632323030343431345a170d3233303632313030343431345a30623121301f06035504030c1844693867694365727420476c6f62616c20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100caa18398a613d73b9b01156b2cff2f9f27074deff3ad0e90ab26ef913dcbe36afa14dcff0d3d89b5a359a018f51580c32ec9ac971a8ead8b0c276bd33c1a97744770e7bcb48acd02e3b1f069e62468c43946eb35cfc4105803371db250125e431d8c3557d66afb1fe9ea602b27186388524de907b8a98504ce731962ca2e46590203010001a3383036300f0603551d130101ff040530030101ff30230603551d11041c301a821844693867694365727420476c6f62616c20526f6f74204732300d06092a864886f70d01010b050003818100af126119a9b571d5dea99da6b8168c2d3c91d3e491372c863adaba423c2790a90c80a409e3d85c955fac9c0168b26e7cb3ff3ff3dc593196a763c0bb7eec9641d0c191f292af8dd2067ad9546867dc9a52a9bdf634301b5dd6e69fe8375a45725f53a3cd3dda9cef8e92ea8fb5c4cec0a4e127888cce3daf6400513df3d38a33	rundll32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

rundll32.exepowershell.exepowershell.exe

pid	process
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
3564	rundll32.exe
2764	powershell.exe
2764	powershell.exe
2764	powershell.exe
3564	rundll32.exe
3564	rundll32.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

rundll32.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3564 rundll32.exe
Token: SeDebugPrivilege 2764 powershell.exe
Token: SeDebugPrivilege 3828 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3564 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	3564	rundll32.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

88f2cada2e0243ba55d434a87a204265.exerundll32.exerundll32.exepowershell.exe

description	pid	process	target process
PID 3560 wrote to memory of 3996	3560	88f2cada2e0243ba55d434a87a204265.exe	rundll32.exe
PID 3560 wrote to memory of 3996	3560	88f2cada2e0243ba55d434a87a204265.exe	rundll32.exe
PID 3560 wrote to memory of 3996	3560	88f2cada2e0243ba55d434a87a204265.exe	rundll32.exe
PID 3996 wrote to memory of 3564	3996	rundll32.exe	rundll32.exe
PID 3996 wrote to memory of 3564	3996	rundll32.exe	rundll32.exe
PID 3996 wrote to memory of 3564	3996	rundll32.exe	rundll32.exe
PID 3564 wrote to memory of 3864	3564	rundll32.exe	rundll32.exe
PID 3564 wrote to memory of 3864	3564	rundll32.exe	rundll32.exe
PID 3564 wrote to memory of 3864	3564	rundll32.exe	rundll32.exe
PID 3564 wrote to memory of 2764	3564	rundll32.exe	powershell.exe
PID 3564 wrote to memory of 2764	3564	rundll32.exe	powershell.exe
PID 3564 wrote to memory of 2764	3564	rundll32.exe	powershell.exe
PID 3564 wrote to memory of 3828	3564	rundll32.exe	powershell.exe
PID 3564 wrote to memory of 3828	3564	rundll32.exe	powershell.exe
PID 3564 wrote to memory of 3828	3564	rundll32.exe	powershell.exe
PID 3828 wrote to memory of 184	3828	powershell.exe	nslookup.exe
PID 3828 wrote to memory of 184	3828	powershell.exe	nslookup.exe
PID 3828 wrote to memory of 184	3828	powershell.exe	nslookup.exe
PID 3564 wrote to memory of 2868	3564	rundll32.exe	schtasks.exe
PID 3564 wrote to memory of 2868	3564	rundll32.exe	schtasks.exe
PID 3564 wrote to memory of 2868	3564	rundll32.exe	schtasks.exe
PID 3564 wrote to memory of 192	3564	rundll32.exe	schtasks.exe
PID 3564 wrote to memory of 192	3564	rundll32.exe	schtasks.exe
PID 3564 wrote to memory of 192	3564	rundll32.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\88f2cada2e0243ba55d434a87a204265.exe
"C:\Users\Admin\AppData\Local\Temp\88f2cada2e0243ba55d434a87a204265.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\88F2CA~1.TMP,S C:\Users\Admin\AppData\Local\Temp\88F2CA~1.EXE
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\PROGRA~3\LAUVHF~1\JHAKLD~1.TMP,VwhPRTlLTU4= C:\Users\Admin\AppData\Local\Temp\88F2CA~1.TMP
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 31801
4⤵
PID:3864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC190.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpD588.tmp.ps1"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\nslookup.exe
"C:\Windows\system32\nslookup.exe" -type=any localhost
5⤵
PID:184

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:2868

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
4⤵
PID:192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\LAUVHF~1\JHAKLD~1.TMP
MD5
e57bcc271eb79e8a55b0ca0915a2bb50

SHA1
4ea5c6972e0f6b8ea1d330222d1404b21211da61

SHA256
b52e4d08846dc63bd10c1d2a4dcb6d9b5608261d55936c9db0f50a0645d5f11c

SHA512
8cb89912f70237fd58fa2f2e0aea7600665cfeb1a56c5962a841c64ea50225e9382d7ac139afee709f8f397ea43ccd3b056c536cda5249c700370e02bd2af5ab

Download Submit
C:\PROGRA~3\lauvhfdchyoek\Sfnth.tmp
MD5
71b1b329124b53b633b9c16e38493cdd

SHA1
1f4eedea6b1755b3eecc0920bc7bd9f434ab6d46

SHA256
3f457da63f45afcbd04ace1aecd9314054931ddc76851ea9f3ee9a72e6374f8f

SHA512
63f9823630ccbcfde98ef2d618b3b8d863288789bd81c09ef7e54f4584ed302e35ad815448c269133328f394c6db78b88b1607f108e863f056dc46b6f38db015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
47eebe401625bbc55e75dbfb72e9e89a

SHA1
db3b2135942d2532c59b9788253638eb77e5995e

SHA256
f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3

SHA512
590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4004ad053902b897f1bea3adbb550d8d

SHA1
519b28008b9b08836f22896e232809f1a1ce7819

SHA256
0a8fbb5c095203d5399940b2507fdce02e3d010d3b0cbc29194b7b4f9e44f8a6

SHA512
26fc77476cd33acde7ed5405a3a669c47f6423b1fe28d6b493b058b59c65c9cd8d8f07d1fdb8c593806ebdd90d0f5e349cce5253c922b2dfdb6e39b51c084494

Download Submit
C:\Users\Admin\AppData\Local\Temp\88F2CA~1.TMP
MD5
34db7debe08ece5166d8828c6ed17766

SHA1
c3197e1f85d4ffbee99e79dfa5c8a2ff4a825739

SHA256
6a6929121aa14bb4187be367ef8a1fb09b29eb46836fa3b3131121ead52f757f

SHA512
4c3d62df3eff23df318268f867811bc0ae7a4ab00105c249592105aa2b88c2e2954b4cf893bc9f17da960d4297db494129d67101a4ab79cfba3ed65f38a28824

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC190.tmp.ps1
MD5
d6964680f98bc66e5e630b41c41fc67e

SHA1
3e78928afb7bb6a86fc9764738c725be99871e4b

SHA256
9fdff9d49d283c3bba1e45a291d8bc2b8e3310764dd205d51826683a75b73473

SHA512
73096715e5b45538507d1e9f447c37d3a5a62ce9771a9d1022a577ae49a5ca1a75a3d85d5958bc0ccdce8ee8e73262860bc73ea5b81ba6c9764fd575a73cfdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC191.tmp
MD5
c416c12d1b2b1da8c8655e393b544362

SHA1
fb1a43cd8e1c556c2d25f361f42a21293c29e447

SHA256
0600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046

SHA512
cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD588.tmp.ps1
MD5
21b10d011ff3340389d4931f17b63dc9

SHA1
4f9246e1338d9f2a77cbf7e95e34d1c8e48be8d7

SHA256
cbaa0cb16bd244520bbe393f257a2639c63511e8943dcd02b1c0f5672b8124da

SHA512
981f139b72959f8a749aecb1602e1d3a5de2d8c31df00b71a98832a44281e0070dfcc26febf20a0dc2c1f5fed29c973d1c4ec295b99cef14598fc8d5dd8b4f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD589.tmp
MD5
1860260b2697808b80802352fe324782

SHA1
f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b

SHA256
0c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1

SHA512
d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f

Download Submit
\PROGRA~3\LAUVHF~1\JHAKLD~1.TMP
MD5
e57bcc271eb79e8a55b0ca0915a2bb50

SHA1
4ea5c6972e0f6b8ea1d330222d1404b21211da61

SHA256
b52e4d08846dc63bd10c1d2a4dcb6d9b5608261d55936c9db0f50a0645d5f11c

SHA512
8cb89912f70237fd58fa2f2e0aea7600665cfeb1a56c5962a841c64ea50225e9382d7ac139afee709f8f397ea43ccd3b056c536cda5249c700370e02bd2af5ab

Download Submit
\PROGRA~3\LAUVHF~1\JHAKLD~1.TMP
MD5
e57bcc271eb79e8a55b0ca0915a2bb50

SHA1
4ea5c6972e0f6b8ea1d330222d1404b21211da61

SHA256
b52e4d08846dc63bd10c1d2a4dcb6d9b5608261d55936c9db0f50a0645d5f11c

SHA512
8cb89912f70237fd58fa2f2e0aea7600665cfeb1a56c5962a841c64ea50225e9382d7ac139afee709f8f397ea43ccd3b056c536cda5249c700370e02bd2af5ab

Download Submit
\Users\Admin\AppData\Local\Temp\88F2CA~1.TMP
MD5
34db7debe08ece5166d8828c6ed17766

SHA1
c3197e1f85d4ffbee99e79dfa5c8a2ff4a825739

SHA256
6a6929121aa14bb4187be367ef8a1fb09b29eb46836fa3b3131121ead52f757f

SHA512
4c3d62df3eff23df318268f867811bc0ae7a4ab00105c249592105aa2b88c2e2954b4cf893bc9f17da960d4297db494129d67101a4ab79cfba3ed65f38a28824

Download Submit
memory/184-185-0x0000000000000000-mapping.dmp

Download
memory/192-190-0x0000000000000000-mapping.dmp

Download
memory/2764-145-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/2764-157-0x00000000089F0000-0x00000000089F1000-memory.dmp

Filesize
4KB

Download
memory/2764-136-0x0000000000000000-mapping.dmp

Download
memory/2764-139-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2764-140-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/2764-141-0x0000000006BF0000-0x0000000006BF1000-memory.dmp

Filesize
4KB

Download
memory/2764-142-0x00000000074B0000-0x00000000074B1000-memory.dmp

Filesize
4KB

Download
memory/2764-143-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/2764-144-0x0000000007520000-0x0000000007521000-memory.dmp

Filesize
4KB

Download
memory/2764-146-0x0000000000D62000-0x0000000000D63000-memory.dmp

Filesize
4KB

Download
memory/2764-161-0x0000000000D63000-0x0000000000D64000-memory.dmp

Filesize
4KB

Download
memory/2764-147-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/2764-148-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/2764-149-0x0000000007C70000-0x0000000007C71000-memory.dmp

Filesize
4KB

Download
memory/2764-158-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/2764-151-0x0000000007D80000-0x0000000007D81000-memory.dmp

Filesize
4KB

Download
memory/2764-156-0x0000000009470000-0x0000000009471000-memory.dmp

Filesize
4KB

Download
memory/2868-188-0x0000000000000000-mapping.dmp

Download
memory/3560-117-0x0000000002770000-0x000000000285A000-memory.dmp

Filesize
936KB

Download
memory/3560-118-0x0000000000400000-0x00000000009B7000-memory.dmp

Filesize
5.7MB

Download
memory/3564-125-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/3564-133-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3564-119-0x0000000000000000-mapping.dmp

Download
memory/3564-123-0x0000000002950000-0x0000000002A8D000-memory.dmp

Filesize
1.2MB

Download
memory/3828-162-0x0000000000000000-mapping.dmp

Download
memory/3828-174-0x0000000007C50000-0x0000000007C51000-memory.dmp

Filesize
4KB

Download
memory/3828-175-0x0000000006940000-0x0000000006941000-memory.dmp

Filesize
4KB

Download
memory/3828-176-0x0000000006942000-0x0000000006943000-memory.dmp

Filesize
4KB

Download
memory/3828-171-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/3828-189-0x0000000006943000-0x0000000006944000-memory.dmp

Filesize
4KB

Download
memory/3864-130-0x00007FF6772F5FD0-mapping.dmp

Download
memory/3864-135-0x0000026FAC2C0000-0x0000026FAC471000-memory.dmp

Filesize
1.7MB

Download
memory/3864-134-0x0000000000030000-0x00000000001D0000-memory.dmp

Filesize
1.6MB

Download
memory/3996-114-0x0000000000000000-mapping.dmp

Download