46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-en-20210920
submitted
21-10-2021 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f389bcaede3b4275e90f2d9ff0e50a57.exe
Size

42KB
MD5

f389bcaede3b4275e90f2d9ff0e50a57
SHA1

b5b8d733ef241a5e57b53c8e809dd5629d4e2a31
SHA256

46de87ee14fc89de41df979d9de14bd223dbd109d7f9c04eda2641091d6d005b
SHA512

36ee862ec5f7c401b990f6bcde85bcbf48237729a4cef53c44a73bed461810107142e770e458f598ff8e08f69f295bf0314e4001d6c6d247052de82beadbb79c

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Nirsoft 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe

pid process

1800 AdvancedRun.exe
1676 AdvancedRun.exe
Loads dropped DLL 4 IoCs

Processes:

f389bcaede3b4275e90f2d9ff0e50a57.exeAdvancedRun.exe

pid process

1600 f389bcaede3b4275e90f2d9ff0e50a57.exe
1600 f389bcaede3b4275e90f2d9ff0e50a57.exe
1800 AdvancedRun.exe
1800 AdvancedRun.exe

pid	process
1600	f389bcaede3b4275e90f2d9ff0e50a57.exe
1600	f389bcaede3b4275e90f2d9ff0e50a57.exe
1800	AdvancedRun.exe
1800	AdvancedRun.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

f389bcaede3b4275e90f2d9ff0e50a57.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	f389bcaede3b4275e90f2d9ff0e50a57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe = "0"	f389bcaede3b4275e90f2d9ff0e50a57.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	f389bcaede3b4275e90f2d9ff0e50a57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	f389bcaede3b4275e90f2d9ff0e50a57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	f389bcaede3b4275e90f2d9ff0e50a57.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	f389bcaede3b4275e90f2d9ff0e50a57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	f389bcaede3b4275e90f2d9ff0e50a57.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	f389bcaede3b4275e90f2d9ff0e50a57.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe = "0"	f389bcaede3b4275e90f2d9ff0e50a57.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f389bcaede3b4275e90f2d9ff0e50a57.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ꍖꎂꍔꍘꍖꍖꍔꍘꍗꍙꎃꍡꎁꎅꍔ = "C:\\Windows\\Resources\\Themes\\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\\svchost.exe"	f389bcaede3b4275e90f2d9ff0e50a57.exe

Drops file in Windows directory 2 IoCs

Processes:

f389bcaede3b4275e90f2d9ff0e50a57.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe	f389bcaede3b4275e90f2d9ff0e50a57.exe
File opened for modification	C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe	f389bcaede3b4275e90f2d9ff0e50a57.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1316 1600 WerFault.exe f389bcaede3b4275e90f2d9ff0e50a57.exe

pid	pid_target	process	target process
1316	1600	WerFault.exe	f389bcaede3b4275e90f2d9ff0e50a57.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
1800	AdvancedRun.exe
1800	AdvancedRun.exe
1676	AdvancedRun.exe
1676	AdvancedRun.exe
568	powershell.exe
1196	powershell.exe
1228	powershell.exe
1976	powershell.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1316 WerFault.exe

pid	process
1316	WerFault.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

f389bcaede3b4275e90f2d9ff0e50a57.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe
Token: SeDebugPrivilege	1800	AdvancedRun.exe
Token: SeImpersonatePrivilege	1800	AdvancedRun.exe
Token: SeDebugPrivilege	1676	AdvancedRun.exe
Token: SeImpersonatePrivilege	1676	AdvancedRun.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1316	WerFault.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

f389bcaede3b4275e90f2d9ff0e50a57.exeAdvancedRun.exe

description	pid	process	target process
PID 1600 wrote to memory of 568	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 568	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 568	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 568	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1228	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1228	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1228	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1228	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1196	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1196	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1196	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1196	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1800	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	AdvancedRun.exe
PID 1600 wrote to memory of 1800	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	AdvancedRun.exe
PID 1600 wrote to memory of 1800	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	AdvancedRun.exe
PID 1600 wrote to memory of 1800	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	AdvancedRun.exe
PID 1800 wrote to memory of 1676	1800	AdvancedRun.exe	AdvancedRun.exe
PID 1800 wrote to memory of 1676	1800	AdvancedRun.exe	AdvancedRun.exe
PID 1800 wrote to memory of 1676	1800	AdvancedRun.exe	AdvancedRun.exe
PID 1800 wrote to memory of 1676	1800	AdvancedRun.exe	AdvancedRun.exe
PID 1600 wrote to memory of 1976	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1976	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1976	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 1976	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	powershell.exe
PID 1600 wrote to memory of 908	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	f389bcaede3b4275e90f2d9ff0e50a57.exe
PID 1600 wrote to memory of 908	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	f389bcaede3b4275e90f2d9ff0e50a57.exe
PID 1600 wrote to memory of 908	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	f389bcaede3b4275e90f2d9ff0e50a57.exe
PID 1600 wrote to memory of 908	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	f389bcaede3b4275e90f2d9ff0e50a57.exe
PID 1600 wrote to memory of 1316	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	WerFault.exe
PID 1600 wrote to memory of 1316	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	WerFault.exe
PID 1600 wrote to memory of 1316	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	WerFault.exe
PID 1600 wrote to memory of 1316	1600	f389bcaede3b4275e90f2d9ff0e50a57.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe
"C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe"
1⤵
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\쳶쳱촵쳴쳰촴촡촁쳲촉쳸촵촥촤촬\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe" /SpecialRun 4101d8 1800
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe
C:\Users\Admin\AppData\Local\Temp\f389bcaede3b4275e90f2d9ff0e50a57.exe
2⤵
PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1972
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
055b33579dee0edc0a3e815edc3910b0

SHA1
fe38faa30660e3aff032c3e292d3f4c811ed868b

SHA256
58628b8ccbed1b537ac96b3e8cf583f238785a88aafb82e15b3ada5ce42dc678

SHA512
dec4e60ee8c3cf4d9e165276c1efde898b7e9816641b6a7864462431d3e43c132a29f03ade3251126d4e718814c003b72556b09026583d720f90404ce1b15159

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
055b33579dee0edc0a3e815edc3910b0

SHA1
fe38faa30660e3aff032c3e292d3f4c811ed868b

SHA256
58628b8ccbed1b537ac96b3e8cf583f238785a88aafb82e15b3ada5ce42dc678

SHA512
dec4e60ee8c3cf4d9e165276c1efde898b7e9816641b6a7864462431d3e43c132a29f03ade3251126d4e718814c003b72556b09026583d720f90404ce1b15159

Download Submit
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\caa6fa85-b565-404c-8984-9f5d8d78dcda\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/568-78-0x0000000002680000-0x00000000032CA000-memory.dmp

Filesize
12.3MB

Download
memory/568-81-0x0000000002680000-0x00000000032CA000-memory.dmp

Filesize
12.3MB

Download
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/568-79-0x0000000002680000-0x00000000032CA000-memory.dmp

Filesize
12.3MB

Download
memory/1196-61-0x0000000000000000-mapping.dmp

Download
memory/1196-66-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1228-80-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/1228-60-0x0000000000000000-mapping.dmp

Download
memory/1316-89-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/1316-85-0x0000000000000000-mapping.dmp

Download
memory/1600-57-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1600-58-0x0000000005360000-0x00000000053C1000-memory.dmp

Filesize
388KB

Download
memory/1600-54-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1600-56-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1676-75-0x0000000000000000-mapping.dmp

Download
memory/1800-69-0x0000000000000000-mapping.dmp

Download
memory/1976-82-0x0000000000000000-mapping.dmp

Download
memory/1976-86-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1976-88-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1976-87-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download