6d444fc9baf9b6d7bd7cd76a73297d3a597378b67a722631d2b75582fde2c81e

Analysis

max time kernel
140s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
28-07-2021 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf6b7c2d9e35525f679075bae5219cc6.exe
Size

846KB
MD5

bf6b7c2d9e35525f679075bae5219cc6
SHA1

d5443425dfbe68dcf9b7925a4acaa900a2564759
SHA256

6d444fc9baf9b6d7bd7cd76a73297d3a597378b67a722631d2b75582fde2c81e
SHA512

452acfaa452276666104c544aff2184e2a497de55caa0eeae9387c0a24b778f0b613164935fc58af3b212e065d838bcfc10618bae5b0fe76263d275c5e9b8ae6

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

run.exerun2.exerun.exeMicrosoftApi.exeMicrosoftApi.exe

pid process

2648 run.exe
1216 run2.exe
2744 run.exe
4056 MicrosoftApi.exe
2768 MicrosoftApi.exe

pid	process
2648	run.exe
1216	run2.exe
2744	run.exe
4056	MicrosoftApi.exe
2768	MicrosoftApi.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

run2.exeMicrosoftApi.exeMicrosoftApi.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	run2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftApi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	run2.exe

Loads dropped DLL 5 IoCs

Processes:

run.exe

pid process

2744 run.exe
2744 run.exe
2744 run.exe
2744 run.exe
2744 run.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

run.exe

description pid process target process

PID 2648 set thread context of 2744 2648 run.exe run.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3648 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2224 timeout.exe
2404 timeout.exe
196 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeMicrosoftApi.exe

pid process

1576 powershell.exe
1576 powershell.exe
1576 powershell.exe
2768 MicrosoftApi.exe

pid	process
2744	run.exe
2744	run.exe
2744	run.exe
2744	run.exe
2744	run.exe

description	pid	process	target process
PID 2648 set thread context of 2744	2648	run.exe	run.exe

pid	process
3648	schtasks.exe

pid	process
2224	timeout.exe
2404	timeout.exe
196	timeout.exe

pid	process
1576	powershell.exe
1576	powershell.exe
1576	powershell.exe
2768	MicrosoftApi.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

run.exepowershell.exeMicrosoftApi.exe

description	pid	process
Token: SeDebugPrivilege	2648	run.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeIncreaseQuotaPrivilege	1576	powershell.exe
Token: SeSecurityPrivilege	1576	powershell.exe
Token: SeTakeOwnershipPrivilege	1576	powershell.exe
Token: SeLoadDriverPrivilege	1576	powershell.exe
Token: SeSystemProfilePrivilege	1576	powershell.exe
Token: SeSystemtimePrivilege	1576	powershell.exe
Token: SeProfSingleProcessPrivilege	1576	powershell.exe
Token: SeIncBasePriorityPrivilege	1576	powershell.exe
Token: SeCreatePagefilePrivilege	1576	powershell.exe
Token: SeBackupPrivilege	1576	powershell.exe
Token: SeRestorePrivilege	1576	powershell.exe
Token: SeShutdownPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeSystemEnvironmentPrivilege	1576	powershell.exe
Token: SeRemoteShutdownPrivilege	1576	powershell.exe
Token: SeUndockPrivilege	1576	powershell.exe
Token: SeManageVolumePrivilege	1576	powershell.exe
Token: 33	1576	powershell.exe
Token: 34	1576	powershell.exe
Token: 35	1576	powershell.exe
Token: 36	1576	powershell.exe
Token: SeDebugPrivilege	2768	MicrosoftApi.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

bf6b7c2d9e35525f679075bae5219cc6.exe

pid	process
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

bf6b7c2d9e35525f679075bae5219cc6.exe

pid	process
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe
4056	bf6b7c2d9e35525f679075bae5219cc6.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

bf6b7c2d9e35525f679075bae5219cc6.exerun.exerun2.exerun.execmd.exeMicrosoftApi.execmd.execmd.exe

description	pid	process	target process
PID 4056 wrote to memory of 2648	4056	bf6b7c2d9e35525f679075bae5219cc6.exe	run.exe
PID 4056 wrote to memory of 2648	4056	bf6b7c2d9e35525f679075bae5219cc6.exe	run.exe
PID 4056 wrote to memory of 2648	4056	bf6b7c2d9e35525f679075bae5219cc6.exe	run.exe
PID 4056 wrote to memory of 1216	4056	bf6b7c2d9e35525f679075bae5219cc6.exe	run2.exe
PID 4056 wrote to memory of 1216	4056	bf6b7c2d9e35525f679075bae5219cc6.exe	run2.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 2648 wrote to memory of 2744	2648	run.exe	run.exe
PID 1216 wrote to memory of 4056	1216	run2.exe	MicrosoftApi.exe
PID 1216 wrote to memory of 4056	1216	run2.exe	MicrosoftApi.exe
PID 2744 wrote to memory of 3168	2744	run.exe	cmd.exe
PID 2744 wrote to memory of 3168	2744	run.exe	cmd.exe
PID 2744 wrote to memory of 3168	2744	run.exe	cmd.exe
PID 3168 wrote to memory of 2224	3168	cmd.exe	timeout.exe
PID 3168 wrote to memory of 2224	3168	cmd.exe	timeout.exe
PID 3168 wrote to memory of 2224	3168	cmd.exe	timeout.exe
PID 4056 wrote to memory of 2220	4056	MicrosoftApi.exe	cmd.exe
PID 4056 wrote to memory of 2220	4056	MicrosoftApi.exe	cmd.exe
PID 4056 wrote to memory of 2164	4056	MicrosoftApi.exe	cmd.exe
PID 4056 wrote to memory of 2164	4056	MicrosoftApi.exe	cmd.exe
PID 2220 wrote to memory of 2404	2220	cmd.exe	timeout.exe
PID 2220 wrote to memory of 2404	2220	cmd.exe	timeout.exe
PID 2164 wrote to memory of 196	2164	cmd.exe	timeout.exe
PID 2164 wrote to memory of 196	2164	cmd.exe	timeout.exe
PID 2220 wrote to memory of 1576	2220	cmd.exe	powershell.exe
PID 2220 wrote to memory of 1576	2220	cmd.exe	powershell.exe
PID 2164 wrote to memory of 3648	2164	cmd.exe	schtasks.exe
PID 2164 wrote to memory of 3648	2164	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\bf6b7c2d9e35525f679075bae5219cc6.exe
"C:\Users\Admin\AppData\Local\Temp\bf6b7c2d9e35525f679075bae5219cc6.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Public\run.exe
C:\Users\Public\run.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Public\run.exe
C:\Users\Public\run.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Public\run.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:2224

C:\Users\Public\run2.exe
C:\Users\Public\run2.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD44D.tmp.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD45E.tmp.cmd""
4⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\timeout.exe
timeout 4
5⤵
- Delays execution with timeout.exe
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'
5⤵
- Creates scheduled task(s)
PID:3648

C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftApi.exe.log
MD5
91da0e0d6c73120560eafe3fb0a762fa

SHA1
450b05f8ca5afb737da4312cf7d1603e695ec136

SHA256
bbb62e473ac1b24a55b9fca67848cebc87764d47a6bf60f51d85ed6de28575d1

SHA512
05fb7457b58d099581121c9afc361543a5d2d4b3444994be5cf6a36b3010a76a13310698f77452e2921dc6d1ac511240d95588030a5983eaee7899b625f4e11a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD44D.tmp.cmd
MD5
90c796aa2dbdba7ff586114622145518

SHA1
ec523948aa2cd24177d046a755891c2ae6ff94fd

SHA256
e3934fa34ba657797eaa7b62196bed3fde7ac69ace75b8fc976e2a2c294f2609

SHA512
79b3b54bb7ccdf6038fd6667a1af7b70a08e2f3325d1f8a50d7b427667d01b9f2878958252aa1d59b62ff548536b4a72c33a7ac4317337e675cdd7b287026db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD45E.tmp.cmd
MD5
07cdc23bd68519e3569daaca03bcc088

SHA1
9e226b1ea6ff0165de9a8db51a9ca10681eb37b1

SHA256
2af249f5c490cfbad068d657b2ceb87e8ae6c6e21953e509e8517bd19d5b8cb2

SHA512
70a27df5c681182fa7d4ac5112b376a3db1e4d2558fbd2768f8ee00ef78bea61a8858a94f0d7e08b473c843e7fef00b065a6da8a5e4bbc67051319ee57f1414c

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
C:\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
C:\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
C:\Users\Public\run.exe
MD5
848b1ba08b8b8ef14ea675aabe5fca3b

SHA1
779594fbaa056b965a6f2bdeb236dd7d219b777d

SHA256
f39587daf3182dc632684a65c67081516371a602e4783c9a73292974952e0097

SHA512
a93652bdfe8427292400bf88530193abfb98ecd04c7b4c9b270eb9140222b290108dcec21d799b261ad3ec3f309e05bc3f4832b635adda6ff4ddd78e0f145a1c

Download Submit
C:\Users\Public\run2.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
C:\Users\Public\run2.exe
MD5
26f150c36d61887868aeb35388c27e28

SHA1
0ea0fc500f236e979b3f030d118f4fb998b67f76

SHA256
07c45a329f4ea2cfe7671123eb2aed8f48a8e1643c5a913fc51c18f01ca9945f

SHA512
b3dc9b6563b9b729df9cd51362740357d9837b88f1b11bbddce4bde1aeab3e8a153472ba5a61e86df318deff4d4ccb8ab696ee79885e7204420692ce88c0795b

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\freebl3.dll
MD5
60acd24430204ad2dc7f148b8cfe9bdc

SHA1
989f377b9117d7cb21cbe92a4117f88f9c7693d9

SHA256
9876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97

SHA512
626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\softokn3.dll
MD5
4e8df049f3459fa94ab6ad387f3561ac

SHA1
06ed392bc29ad9d5fc05ee254c2625fd65925114

SHA256
25a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871

SHA512
3dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6

Download Submit
memory/196-149-0x0000000000000000-mapping.dmp

Download
memory/1216-122-0x00007FF7D5D80000-0x00007FF7D5D81000-memory.dmp

Filesize
4KB

Download
memory/1216-116-0x0000000000000000-mapping.dmp

Download
memory/1576-162-0x000001722B7F3000-0x000001722B7F5000-memory.dmp

Filesize
8KB

Download
memory/1576-186-0x000001722B7F6000-0x000001722B7F8000-memory.dmp

Filesize
8KB

Download
memory/1576-190-0x000001722B7F8000-0x000001722B7F9000-memory.dmp

Filesize
4KB

Download
memory/1576-161-0x000001722B7F0000-0x000001722B7F2000-memory.dmp

Filesize
8KB

Download
memory/1576-156-0x0000017213470000-0x0000017213471000-memory.dmp

Filesize
4KB

Download
memory/1576-160-0x000001722B700000-0x000001722B701000-memory.dmp

Filesize
4KB

Download
memory/1576-150-0x0000000000000000-mapping.dmp

Download
memory/2164-145-0x0000000000000000-mapping.dmp

Download
memory/2220-144-0x0000000000000000-mapping.dmp

Download
memory/2224-143-0x0000000000000000-mapping.dmp

Download
memory/2404-147-0x0000000000000000-mapping.dmp

Download
memory/2648-127-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2648-126-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2648-114-0x0000000000000000-mapping.dmp

Download
memory/2648-120-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2648-124-0x0000000003280000-0x000000000328E000-memory.dmp

Filesize
56KB

Download
memory/2648-125-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/2744-128-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2744-129-0x000000000044003F-mapping.dmp

Download
memory/2744-131-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2768-195-0x000001DDDE5B0000-0x000001DDDE5B2000-memory.dmp

Filesize
8KB

Download
memory/3168-142-0x0000000000000000-mapping.dmp

Download
memory/3648-151-0x0000000000000000-mapping.dmp

Download
memory/4056-132-0x0000000000000000-mapping.dmp

Download
memory/4056-136-0x00007FF6ACD60000-0x00007FF6ACD61000-memory.dmp

Filesize
4KB

Download