03fe24d7f895988c09b48880d841096dcc9e3623254884d93769a4e362473950

Analysis

max time kernel
1384s
max time network
1454s
platform
windows7_x64
resource
win7v20210408
submitted
21-07-2021 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.07.21.doc
Size

72KB
MD5

2b7fbd7553c2c0079775ff71624f6e1d
SHA1

de14f7af8b1e4f44c075f699dfedaa7ada95cc49
SHA256

03fe24d7f895988c09b48880d841096dcc9e3623254884d93769a4e362473950
SHA512

96554a7da2d220c8037281352de6271dc51fac4623ca3a55ba01035376e00a8e2f7334e9555e22706dd96f857f7bab6c3c342503c32a08335b35a0b36cc70a34

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1064	1840	cmd.exe	WINWORD.EXE

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1964 created 1200 1964 regsvr32.exe Explorer.EXE
Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

6 1712 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

pid process

1948 regsvr32.exe
1964 regsvr32.exe
1316 regsvr32.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 myexternalip.com
28 myexternalip.com
40 myexternalip.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1964 set thread context of 1756 1964 regsvr32.exe chrome.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Discovers systems in the same network 1 TTPs 6 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exenet.exenet.exenet.exe

pid process

1888 net.exe
628 net.exe
1808 net.exe
1720 net.exe
2032 net.exe
900 net.exe

description	pid	process	target process
PID 1964 created 1200	1964	regsvr32.exe	Explorer.EXE

flow	pid	process
6	1712	mshta.exe

pid	process
1948	regsvr32.exe
1964	regsvr32.exe
1316	regsvr32.exe

flow	ioc
27	myexternalip.com
28	myexternalip.com
40	myexternalip.com

description	pid	process	target process
PID 1964 set thread context of 1756	1964	regsvr32.exe	chrome.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1888	net.exe
628	net.exe
1808	net.exe
1720	net.exe
2032	net.exe
900	net.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Runs net.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1840 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

regsvr32.exechrome.exe

pid process

1964 regsvr32.exe
1756 chrome.exe
1756 chrome.exe
1756 chrome.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1840 WINWORD.EXE
1840 WINWORD.EXE

pid	process
1840	WINWORD.EXE

pid	process
1964	regsvr32.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe

pid	process
1840	WINWORD.EXE
1840	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.exemshta.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1840 wrote to memory of 1064	1840	WINWORD.EXE	cmd.exe
PID 1840 wrote to memory of 1064	1840	WINWORD.EXE	cmd.exe
PID 1840 wrote to memory of 1064	1840	WINWORD.EXE	cmd.exe
PID 1840 wrote to memory of 1064	1840	WINWORD.EXE	cmd.exe
PID 1064 wrote to memory of 1712	1064	cmd.exe	mshta.exe
PID 1064 wrote to memory of 1712	1064	cmd.exe	mshta.exe
PID 1064 wrote to memory of 1712	1064	cmd.exe	mshta.exe
PID 1064 wrote to memory of 1712	1064	cmd.exe	mshta.exe
PID 1712 wrote to memory of 1948	1712	mshta.exe	regsvr32.exe
PID 1712 wrote to memory of 1948	1712	mshta.exe	regsvr32.exe
PID 1712 wrote to memory of 1948	1712	mshta.exe	regsvr32.exe
PID 1712 wrote to memory of 1948	1712	mshta.exe	regsvr32.exe
PID 1712 wrote to memory of 1948	1712	mshta.exe	regsvr32.exe
PID 1712 wrote to memory of 1948	1712	mshta.exe	regsvr32.exe
PID 1712 wrote to memory of 1948	1712	mshta.exe	regsvr32.exe
PID 1948 wrote to memory of 1964	1948	regsvr32.exe	regsvr32.exe
PID 1948 wrote to memory of 1964	1948	regsvr32.exe	regsvr32.exe
PID 1948 wrote to memory of 1964	1948	regsvr32.exe	regsvr32.exe
PID 1948 wrote to memory of 1964	1948	regsvr32.exe	regsvr32.exe
PID 1948 wrote to memory of 1964	1948	regsvr32.exe	regsvr32.exe
PID 1948 wrote to memory of 1964	1948	regsvr32.exe	regsvr32.exe
PID 1948 wrote to memory of 1964	1948	regsvr32.exe	regsvr32.exe
PID 1840 wrote to memory of 924	1840	WINWORD.EXE	splwow64.exe
PID 1840 wrote to memory of 924	1840	WINWORD.EXE	splwow64.exe
PID 1840 wrote to memory of 924	1840	WINWORD.EXE	splwow64.exe
PID 1840 wrote to memory of 924	1840	WINWORD.EXE	splwow64.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe
PID 1964 wrote to memory of 1756	1964	regsvr32.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\documents.07.21.doc"
  2⤵
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c c:\programdata\sds.hta
    3⤵
    - Process spawned unexpected child process
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\programdata\sds.hta"
      4⤵
      Blocklisted process makes network request
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" c:\users\public\haveSimpleAnd.jpg
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Windows\system32\regsvr32.exe
        
        c:\users\public\haveSimpleAnd.jpg
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1964
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1756
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:2032
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:900
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:1656
- - C:\Windows\system32\net.exe
    net localgroup administrator
    3⤵
    PID:1060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrator
      4⤵
      PID:552
- - C:\Windows\system32\net.exe
    net group /domain admins
    3⤵
    PID:1072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group /domain admins
      4⤵
      PID:1836
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:1888
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:628
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:816
- - C:\Windows\system32\net.exe
    net localgroup administrator
    3⤵
    PID:1272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrator
      4⤵
      PID:2016
- - C:\Windows\system32\net.exe
    net group /domain admins
    3⤵
    PID:884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group /domain admins
      4⤵
      PID:440
- - C:\Windows\system32\net.exe
    net view /all
    3⤵
    - Discovers systems in the same network
    PID:1808
- - C:\Windows\system32\net.exe
    net view /all /domain
    3⤵
    - Discovers systems in the same network
    PID:1720
- - C:\Windows\system32\nltest.exe
    nltest /domain_trusts /all_trusts
    3⤵
    PID:984
- - C:\Windows\system32\net.exe
    net localgroup administrator
    3⤵
    PID:1580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrator
      4⤵
      PID:1972
- - C:\Windows\system32\net.exe
    net group /domain admins
    3⤵
    PID:900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 group /domain admins
      4⤵
      PID:1788

C:\Windows\system32\regsvr32.exe
regsvr32 /s "c:\users\public\haveSimpleAnd.jpg"
1⤵
- Loads dropped DLL
PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
9dfe6a4c5ad55b780a597573d88c3946

SHA1
3671001590341639c94f57ec7967ba4ba1a6ce5a

SHA256
a073fc0f9d678bc69d4b8e0a3935eff91b8746d71ac5d4c9020b25b3e4c0f1b9

SHA512
8e170c2dc200a08a97e2b8b21e99cf4dad792e8143e236781fdc280dcfee1f399c7bc2bd51099fb010d9f799ea4d77abfb6376e1da93cd6e274980556a539238

Download Submit
C:\programdata\sds.hta

MD5
242417bcb787a1d673f9d63b8345ba9d

SHA1
a419bcc2f1b8d0591a9c6e3469e61968c5bd7c5e

SHA256
d9b5bfe4016357985bf9afbeeab1bcfaee713e4fa6243682a47de56e3038fcb5

SHA512
d2fca175faf488df0b36b7ac263bb32ba0961a860f9d5f6e162746fdca7c0693c71c96112abb657c45e568909e6dc992d840877b19e0991e041986e22c985789

Download Submit
\??\PIPE\NETLOGON

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\lsarpc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\users\public\haveSimpleAnd.jpg

MD5
063b62623f9aa6bf23a54a0bfafa143c

SHA1
b5ebfd1543eddaf52d51d8f65ebd4fcabb8c4f41

SHA256
e71fa3c09ef55e0aeed7a2f500101626d1e61b6f7cccc312577a8f3535657dcd

SHA512
d57f6c8e03336e2159597aae61e26d7eaec15c35f7d3ba26172ffa93548b618d5947702e9a70f793292af2ce42bbbc01c95ceb274325f77c9e2f008aaa3e5c8e

Download Submit
\Users\Public\haveSimpleAnd.jpg

MD5
063b62623f9aa6bf23a54a0bfafa143c

SHA1
b5ebfd1543eddaf52d51d8f65ebd4fcabb8c4f41

SHA256
e71fa3c09ef55e0aeed7a2f500101626d1e61b6f7cccc312577a8f3535657dcd

SHA512
d57f6c8e03336e2159597aae61e26d7eaec15c35f7d3ba26172ffa93548b618d5947702e9a70f793292af2ce42bbbc01c95ceb274325f77c9e2f008aaa3e5c8e

Download Submit
\Users\Public\haveSimpleAnd.jpg

MD5
063b62623f9aa6bf23a54a0bfafa143c

SHA1
b5ebfd1543eddaf52d51d8f65ebd4fcabb8c4f41

SHA256
e71fa3c09ef55e0aeed7a2f500101626d1e61b6f7cccc312577a8f3535657dcd

SHA512
d57f6c8e03336e2159597aae61e26d7eaec15c35f7d3ba26172ffa93548b618d5947702e9a70f793292af2ce42bbbc01c95ceb274325f77c9e2f008aaa3e5c8e

Download Submit
\Users\Public\haveSimpleAnd.jpg

MD5
063b62623f9aa6bf23a54a0bfafa143c

SHA1
b5ebfd1543eddaf52d51d8f65ebd4fcabb8c4f41

SHA256
e71fa3c09ef55e0aeed7a2f500101626d1e61b6f7cccc312577a8f3535657dcd

SHA512
d57f6c8e03336e2159597aae61e26d7eaec15c35f7d3ba26172ffa93548b618d5947702e9a70f793292af2ce42bbbc01c95ceb274325f77c9e2f008aaa3e5c8e

Download Submit
memory/440-101-0x0000000000000000-mapping.dmp

Download
memory/552-90-0x0000000000000000-mapping.dmp

Download
memory/628-94-0x0000000000000000-mapping.dmp

Download
memory/816-95-0x0000000000000000-mapping.dmp

Download
memory/884-100-0x0000000000000000-mapping.dmp

Download
memory/900-108-0x0000000000000000-mapping.dmp

Download
memory/900-87-0x0000000000000000-mapping.dmp

Download
memory/924-75-0x0000000000000000-mapping.dmp

Download
memory/984-104-0x0000000000000000-mapping.dmp

Download
memory/1060-89-0x0000000000000000-mapping.dmp

Download
memory/1064-63-0x0000000000000000-mapping.dmp

Download
memory/1072-91-0x0000000000000000-mapping.dmp

Download
memory/1272-97-0x0000000000000000-mapping.dmp

Download
memory/1316-83-0x00000000007F0000-0x000000000082E000-memory.dmp

Filesize
248KB

Download
memory/1580-105-0x0000000000000000-mapping.dmp

Download
memory/1656-88-0x0000000000000000-mapping.dmp

Download
memory/1712-66-0x0000000000000000-mapping.dmp

Download
memory/1720-103-0x0000000000000000-mapping.dmp

Download
memory/1756-80-0x000000013F300000-0x000000013F545000-memory.dmp

Filesize
2.3MB

Download
memory/1756-78-0x000000013F300000-0x000000013F545000-memory.dmp

Filesize
2.3MB

Download
memory/1756-79-0x000000013F5177D8-mapping.dmp

Download
memory/1788-109-0x0000000000000000-mapping.dmp

Download
memory/1808-102-0x0000000000000000-mapping.dmp

Download
memory/1836-92-0x0000000000000000-mapping.dmp

Download
memory/1840-59-0x0000000072AB1000-0x0000000072AB4000-memory.dmp

Filesize
12KB

Download
memory/1840-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1840-60-0x0000000070531000-0x0000000070533000-memory.dmp

Filesize
8KB

Download
memory/1840-62-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1840-77-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-93-0x0000000000000000-mapping.dmp

Download
memory/1948-67-0x0000000000000000-mapping.dmp

Download
memory/1964-71-0x0000000000000000-mapping.dmp

Download
memory/1964-74-0x0000000001DF0000-0x0000000001E2E000-memory.dmp

Filesize
248KB

Download
memory/1964-72-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1972-106-0x0000000000000000-mapping.dmp

Download
memory/2016-98-0x0000000000000000-mapping.dmp

Download
memory/2032-86-0x0000000000000000-mapping.dmp

Download