bazarloader | 5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10

Analysis

max time kernel
151s
max time network
152s
platform
windows10_x64
resource
win10-en-20211104
submitted
08-12-2021 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
Size

241KB
MD5

8fd84f8bb387f090f8ec1f8100351200
SHA1

9f3d5a2a6670a59e5c4c338aee7362a1e080f9d6
SHA256

5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10
SHA512

6fc30f5cfcb0397502a342499093e72ef481bd54ffbf0b5a5649c48b4cb1307650e1b68d1668638cf949817e96227a16832ffc6b7bd9c9a23e4b5f2b4c9fd69a

Score

10^/10

bazarloader raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor discovery dropper infostealer loader spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fd4f23250443a724a3d1548e6ab07c481dfc2814

Attributes

url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1

rc4.plain

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4108-137-0x0000000000B00000-0x0000000000B69000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1784-175-0x00000000024E0000-0x0000000002520000-memory.dmp	BazarLoaderVar5

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

6DF8.exe6DF8.exe825C.exe874F.exeE697.exe

pid process

2268 6DF8.exe
3192 6DF8.exe
4484 825C.exe
4108 874F.exe
2664 E697.exe
Deletes itself 1 IoCs

Processes:

pid process

2416
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1784 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

874F.exe

pid process

4108 874F.exe

pid	process
2268	6DF8.exe
3192	6DF8.exe
4484	825C.exe
4108	874F.exe
2664	E697.exe

pid	process
2416

pid	process
1784	regsvr32.exe

pid	process
4108	874F.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe6DF8.exe

description	pid	process	target process
PID 396 set thread context of 4072	396	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
PID 2268 set thread context of 3192	2268	6DF8.exe	6DF8.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6DF8.exe5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6DF8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6DF8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6DF8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe

pid	process
4072	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
4072	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2416
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe6DF8.exe

pid process

4072 5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
3192 6DF8.exe

pid	process
2416

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

874F.exe

description	pid	process
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeDebugPrivilege	4108	874F.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe6DF8.exe

description	pid	process	target process
PID 396 wrote to memory of 4072	396	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
PID 396 wrote to memory of 4072	396	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
PID 396 wrote to memory of 4072	396	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
PID 396 wrote to memory of 4072	396	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
PID 396 wrote to memory of 4072	396	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
PID 396 wrote to memory of 4072	396	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe	5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
PID 2416 wrote to memory of 2268	2416		6DF8.exe
PID 2416 wrote to memory of 2268	2416		6DF8.exe
PID 2416 wrote to memory of 2268	2416		6DF8.exe
PID 2268 wrote to memory of 3192	2268	6DF8.exe	6DF8.exe
PID 2268 wrote to memory of 3192	2268	6DF8.exe	6DF8.exe
PID 2268 wrote to memory of 3192	2268	6DF8.exe	6DF8.exe
PID 2268 wrote to memory of 3192	2268	6DF8.exe	6DF8.exe
PID 2268 wrote to memory of 3192	2268	6DF8.exe	6DF8.exe
PID 2268 wrote to memory of 3192	2268	6DF8.exe	6DF8.exe
PID 2416 wrote to memory of 4484	2416		825C.exe
PID 2416 wrote to memory of 4484	2416		825C.exe
PID 2416 wrote to memory of 4484	2416		825C.exe
PID 2416 wrote to memory of 4108	2416		874F.exe
PID 2416 wrote to memory of 4108	2416		874F.exe
PID 2416 wrote to memory of 4108	2416		874F.exe
PID 2416 wrote to memory of 1784	2416		regsvr32.exe
PID 2416 wrote to memory of 1784	2416		regsvr32.exe
PID 2416 wrote to memory of 2664	2416		E697.exe
PID 2416 wrote to memory of 2664	2416		E697.exe
PID 2416 wrote to memory of 2664	2416		E697.exe

C:\Users\Admin\AppData\Local\Temp\5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
"C:\Users\Admin\AppData\Local\Temp\5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe
"C:\Users\Admin\AppData\Local\Temp\5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4072

C:\Users\Admin\AppData\Local\Temp\6DF8.exe
C:\Users\Admin\AppData\Local\Temp\6DF8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\6DF8.exe
C:\Users\Admin\AppData\Local\Temp\6DF8.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3192

C:\Users\Admin\AppData\Local\Temp\825C.exe
C:\Users\Admin\AppData\Local\Temp\825C.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\874F.exe
C:\Users\Admin\AppData\Local\Temp\874F.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CC96.dll
1⤵
- Loads dropped DLL
PID:1784

C:\Users\Admin\AppData\Local\Temp\E697.exe
C:\Users\Admin\AppData\Local\Temp\E697.exe
1⤵
- Executes dropped EXE
PID:2664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6DF8.exe
MD5
8fd84f8bb387f090f8ec1f8100351200

SHA1
9f3d5a2a6670a59e5c4c338aee7362a1e080f9d6

SHA256
5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10

SHA512
6fc30f5cfcb0397502a342499093e72ef481bd54ffbf0b5a5649c48b4cb1307650e1b68d1668638cf949817e96227a16832ffc6b7bd9c9a23e4b5f2b4c9fd69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DF8.exe
MD5
8fd84f8bb387f090f8ec1f8100351200

SHA1
9f3d5a2a6670a59e5c4c338aee7362a1e080f9d6

SHA256
5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10

SHA512
6fc30f5cfcb0397502a342499093e72ef481bd54ffbf0b5a5649c48b4cb1307650e1b68d1668638cf949817e96227a16832ffc6b7bd9c9a23e4b5f2b4c9fd69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6DF8.exe
MD5
8fd84f8bb387f090f8ec1f8100351200

SHA1
9f3d5a2a6670a59e5c4c338aee7362a1e080f9d6

SHA256
5e2346479d633af517088a6be81e5051f8ed1c9c1b96fb3e7797a26db7c11c10

SHA512
6fc30f5cfcb0397502a342499093e72ef481bd54ffbf0b5a5649c48b4cb1307650e1b68d1668638cf949817e96227a16832ffc6b7bd9c9a23e4b5f2b4c9fd69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\825C.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\825C.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\874F.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\874F.exe
MD5
0cefed061e2a2241ecd302d7790a2f80

SHA1
5f119195af2db118c5fbac21634bea00f5d5b8da

SHA256
014ad60fd2c294dd8fb63c022961e17df1ba74bb1209a64634112913edc44983

SHA512
7b7e4460dad4f176b11a66a37bbc1b2fd2c7e042c5e949c72edcc3c93d9bb9d210d8ecc95d8aad533c761947958e008c4ced8b5faef9319ebb5bf29752381cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC96.dll
MD5
a49d28798147cc039e3ac341044fe612

SHA1
b950324092db34ad2940560d85f07744dd9e5b0c

SHA256
17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b

SHA512
6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E697.exe
MD5
0af95d4534f76e1f817f8fdfbb72457f

SHA1
8995c4919b29f929f40881ede42fc351b63e39e6

SHA256
37277505c9c29a553b922916789287d97ec515d25dc2cb499ded717347efac9c

SHA512
e6026be9187b83e2c1685a62cf88c975c65bbc7476130051eb91d228fcaf8600922fafe99de09ecbc23744fc478dcdb42cf28492676317616c82dd7760ae3490

Download Submit
C:\Users\Admin\AppData\Local\Temp\E697.exe
MD5
0af95d4534f76e1f817f8fdfbb72457f

SHA1
8995c4919b29f929f40881ede42fc351b63e39e6

SHA256
37277505c9c29a553b922916789287d97ec515d25dc2cb499ded717347efac9c

SHA512
e6026be9187b83e2c1685a62cf88c975c65bbc7476130051eb91d228fcaf8600922fafe99de09ecbc23744fc478dcdb42cf28492676317616c82dd7760ae3490

Download Submit
\Users\Admin\AppData\Local\Temp\CC96.dll
MD5
a49d28798147cc039e3ac341044fe612

SHA1
b950324092db34ad2940560d85f07744dd9e5b0c

SHA256
17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b

SHA512
6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

Download Submit
memory/396-121-0x0000000002C30000-0x0000000002CDE000-memory.dmp

Filesize
696KB

Download
memory/396-120-0x0000000002C10000-0x0000000002C19000-memory.dmp

Filesize
36KB

Download
memory/1784-164-0x0000000000000000-mapping.dmp

Download
memory/1784-175-0x00000000024E0000-0x0000000002520000-memory.dmp

Filesize
256KB

Download
memory/1784-173-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/1784-174-0x00000000007A0000-0x00000000007A2000-memory.dmp

Filesize
8KB

Download
memory/2268-129-0x0000000002BA0000-0x0000000002BA9000-memory.dmp

Filesize
36KB

Download
memory/2268-123-0x0000000000000000-mapping.dmp

Download
memory/2416-156-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download
memory/2416-122-0x0000000000940000-0x0000000000956000-memory.dmp

Filesize
88KB

Download
memory/2664-170-0x0000000002D10000-0x0000000002D5F000-memory.dmp

Filesize
316KB

Download
memory/2664-171-0x0000000004720000-0x00000000047AF000-memory.dmp

Filesize
572KB

Download
memory/2664-167-0x0000000000000000-mapping.dmp

Download
memory/2664-172-0x0000000000400000-0x0000000002BBD000-memory.dmp

Filesize
39.7MB

Download
memory/3192-127-0x0000000000402F47-mapping.dmp

Download
memory/4072-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4072-119-0x0000000000402F47-mapping.dmp

Download
memory/4108-147-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/4108-162-0x0000000006AC0000-0x0000000006AC1000-memory.dmp

Filesize
4KB

Download
memory/4108-151-0x0000000074050000-0x00000000745D4000-memory.dmp

Filesize
5.5MB

Download
memory/4108-153-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/4108-152-0x0000000074A60000-0x0000000075DA8000-memory.dmp

Filesize
19.3MB

Download
memory/4108-154-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4108-155-0x000000006FDD0000-0x000000006FE1B000-memory.dmp

Filesize
300KB

Download
memory/4108-149-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/4108-157-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/4108-158-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4108-159-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/4108-160-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4108-161-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/4108-150-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4108-163-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/4108-148-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4108-146-0x0000000071B60000-0x0000000071BE0000-memory.dmp

Filesize
512KB

Download
memory/4108-144-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4108-143-0x00000000767F0000-0x00000000768E1000-memory.dmp

Filesize
964KB

Download
memory/4108-142-0x00000000025F0000-0x0000000002635000-memory.dmp

Filesize
276KB

Download
memory/4108-134-0x0000000000000000-mapping.dmp

Download
memory/4108-139-0x0000000076AA0000-0x0000000076C62000-memory.dmp

Filesize
1.8MB

Download
memory/4108-137-0x0000000000B00000-0x0000000000B69000-memory.dmp

Filesize
420KB

Download
memory/4108-138-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/4484-140-0x0000000002160000-0x00000000021EF000-memory.dmp

Filesize
572KB

Download
memory/4484-141-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4484-130-0x0000000000000000-mapping.dmp

Download