25d18c3823a3b210a18e69c823ce4c59fab298c315ac2a5d891027921d1c6d7e

Analysis

max time kernel
48s
max time network
70s
platform
windows10_x64
resource
win10-en-20211208
submitted
01-01-2022 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

config.exe
Size

2.1MB
MD5

cf351819c69c94fbdaec24cb8c30990b
SHA1

4911d5384ca3720c48a0c8ba47b1edba33dfa0ff
SHA256

25d18c3823a3b210a18e69c823ce4c59fab298c315ac2a5d891027921d1c6d7e
SHA512

c6ed66e7a0afa76ff2c583b91e90ed8a193af8c25ba5e81e29be652bbbdfaf1fa62047826066f8ebc3677873e6a75237103ec4dc61544c3e5c11eff2b401c5b9

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

config.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\BlockStep.crw => C:\Users\Admin\Pictures\BlockStep.crw.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\ConvertConnect.png => C:\Users\Admin\Pictures\ConvertConnect.png.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\ConvertToSwitch.crw => C:\Users\Admin\Pictures\ConvertToSwitch.crw.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\ExportTest.tiff => C:\Users\Admin\Pictures\ExportTest.tiff.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\UndoConfirm.raw => C:\Users\Admin\Pictures\UndoConfirm.raw.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\PopInitialize.crw => C:\Users\Admin\Pictures\PopInitialize.crw.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\AddExport.crw => C:\Users\Admin\Pictures\AddExport.crw.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\DisconnectRepair.raw => C:\Users\Admin\Pictures\DisconnectRepair.raw.xyz	config.exe
File opened for modification	C:\Users\Admin\Pictures\ExportTest.tiff	config.exe
File renamed	C:\Users\Admin\Pictures\InstallUnblock.raw => C:\Users\Admin\Pictures\InstallUnblock.raw.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\MoveResume.tif => C:\Users\Admin\Pictures\MoveResume.tif.xyz	config.exe
File renamed	C:\Users\Admin\Pictures\PopGrant.raw => C:\Users\Admin\Pictures\PopGrant.raw.xyz	config.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 15 IoCs

Processes:

config.exe

description	ioc	process
File created	C:\Users\Admin\Favorites\Links\desktop.ini	config.exe
File created	C:\Users\Admin\Music\desktop.ini	config.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	config.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	config.exe
File created	C:\Users\Admin\Videos\desktop.ini	config.exe
File created	C:\Users\Admin\Downloads\desktop.ini	config.exe
File created	C:\Users\Admin\Desktop\desktop.ini	config.exe
File created	C:\Users\Admin\Contacts\desktop.ini	config.exe
File created	C:\Users\Admin\Favorites\desktop.ini	config.exe
File created	C:\Users\Admin\Links\desktop.ini	config.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	config.exe
File created	C:\Users\Admin\Searches\desktop.ini	config.exe
File created	C:\Users\Admin\Documents\desktop.ini	config.exe
File created	C:\Users\Admin\Pictures\desktop.ini	config.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	config.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cipher.exe

description ioc process

File opened (read-only) \??\D: cipher.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2016 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3804 NOTEPAD.EXE

description	ioc	process
File opened (read-only)	\??\D:	cipher.exe

pid	process
2016	vssadmin.exe

pid	process
3804	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2064	powershell.exe
2064	powershell.exe
2064	powershell.exe
2652	powershell.exe
680	powershell.exe
2652	powershell.exe
680	powershell.exe
2652	powershell.exe
680	powershell.exe
2532	powershell.exe
2532	powershell.exe
2532	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
748	powershell.exe
748	powershell.exe
748	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: 36	2680	wmic.exe
Token: SeIncreaseQuotaPrivilege	2680	wmic.exe
Token: SeSecurityPrivilege	2680	wmic.exe
Token: SeTakeOwnershipPrivilege	2680	wmic.exe
Token: SeLoadDriverPrivilege	2680	wmic.exe
Token: SeSystemProfilePrivilege	2680	wmic.exe
Token: SeSystemtimePrivilege	2680	wmic.exe
Token: SeProfSingleProcessPrivilege	2680	wmic.exe
Token: SeIncBasePriorityPrivilege	2680	wmic.exe
Token: SeCreatePagefilePrivilege	2680	wmic.exe
Token: SeBackupPrivilege	2680	wmic.exe
Token: SeRestorePrivilege	2680	wmic.exe
Token: SeShutdownPrivilege	2680	wmic.exe
Token: SeDebugPrivilege	2680	wmic.exe
Token: SeSystemEnvironmentPrivilege	2680	wmic.exe
Token: SeRemoteShutdownPrivilege	2680	wmic.exe
Token: SeUndockPrivilege	2680	wmic.exe
Token: SeManageVolumePrivilege	2680	wmic.exe
Token: 33	2680	wmic.exe
Token: 34	2680	wmic.exe
Token: 35	2680	wmic.exe
Token: 36	2680	wmic.exe
Token: SeIncreaseQuotaPrivilege	1036	wmic.exe
Token: SeSecurityPrivilege	1036	wmic.exe
Token: SeTakeOwnershipPrivilege	1036	wmic.exe
Token: SeLoadDriverPrivilege	1036	wmic.exe
Token: SeSystemProfilePrivilege	1036	wmic.exe
Token: SeSystemtimePrivilege	1036	wmic.exe
Token: SeProfSingleProcessPrivilege	1036	wmic.exe
Token: SeIncBasePriorityPrivilege	1036	wmic.exe
Token: SeCreatePagefilePrivilege	1036	wmic.exe
Token: SeBackupPrivilege	1036	wmic.exe
Token: SeRestorePrivilege	1036	wmic.exe
Token: SeShutdownPrivilege	1036	wmic.exe
Token: SeDebugPrivilege	1036	wmic.exe
Token: SeSystemEnvironmentPrivilege	1036	wmic.exe
Token: SeRemoteShutdownPrivilege	1036	wmic.exe
Token: SeUndockPrivilege	1036	wmic.exe
Token: SeManageVolumePrivilege	1036	wmic.exe
Token: 33	1036	wmic.exe
Token: 34	1036	wmic.exe
Token: 35	1036	wmic.exe
Token: 36	1036	wmic.exe
Token: SeIncreaseQuotaPrivilege	1036	wmic.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

config.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3964 wrote to memory of 2680	3964	config.exe	wmic.exe
PID 3964 wrote to memory of 2680	3964	config.exe	wmic.exe
PID 3964 wrote to memory of 1036	3964	config.exe	wmic.exe
PID 3964 wrote to memory of 1036	3964	config.exe	wmic.exe
PID 3964 wrote to memory of 2064	3964	config.exe	powershell.exe
PID 3964 wrote to memory of 2064	3964	config.exe	powershell.exe
PID 2064 wrote to memory of 2652	2064	powershell.exe	powershell.exe
PID 2064 wrote to memory of 2652	2064	powershell.exe	powershell.exe
PID 3964 wrote to memory of 680	3964	config.exe	powershell.exe
PID 3964 wrote to memory of 680	3964	config.exe	powershell.exe
PID 2652 wrote to memory of 2016	2652	powershell.exe	vssadmin.exe
PID 2652 wrote to memory of 2016	2652	powershell.exe	vssadmin.exe
PID 680 wrote to memory of 2532	680	powershell.exe	powershell.exe
PID 680 wrote to memory of 2532	680	powershell.exe	powershell.exe
PID 3964 wrote to memory of 2208	3964	config.exe	wmic.exe
PID 3964 wrote to memory of 2208	3964	config.exe	wmic.exe
PID 3964 wrote to memory of 3980	3964	config.exe	powershell.exe
PID 3964 wrote to memory of 3980	3964	config.exe	powershell.exe
PID 2532 wrote to memory of 1532	2532	powershell.exe	cipher.exe
PID 2532 wrote to memory of 1532	2532	powershell.exe	cipher.exe
PID 3980 wrote to memory of 748	3980	powershell.exe	powershell.exe
PID 3980 wrote to memory of 748	3980	powershell.exe	powershell.exe
PID 748 wrote to memory of 1572	748	powershell.exe	cipher.exe
PID 748 wrote to memory of 1572	748	powershell.exe	cipher.exe

C:\Users\Admin\AppData\Local\Temp\config.exe
"C:\Users\Admin\AppData\Local\Temp\config.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\System32\Wbem\wmic.exe
wmic MEMORYCHIP get Capacity
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\System32\Wbem\wmic.exe
wmic logicaldisk get name
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process powershell -windowstyle hidden "{vssadmin delete shadows /all /quiet}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" vssadmin delete shadows /all /quiet
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process powershell -windowstyle hidden "{ cipher /w:C:\}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\cipher.exe
"C:\Windows\system32\cipher.exe" /w:C:\
4⤵
PID:1532

C:\Windows\System32\Wbem\wmic.exe
wmic logicaldisk get name
2⤵
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start-process powershell -windowstyle hidden "{ cipher /w:D:\}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" cipher /w:D:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\cipher.exe
"C:\Windows\system32\cipher.exe" /w:D:\
4⤵
- Enumerates connected drives
PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:800

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_Readme_.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
49667ac4d8eba76747746ac0389d5bd1

SHA1
c5081607d2fdbbf0816b8771f1440b8c79b77c6c

SHA256
b3f371844b4f728cb349bdc3e4097a5cd8a82de61a071eff06d5b7a351366f90

SHA512
baaf6c2a999d9d82c5849518b50bb799704fda58cee171bc71a2e13f3dabc7bbc1094b1f31996f974326b7ee164bb375207a0d90db82922c6fd99bb5f9c75864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
948945064d6d5a60eece4388e13e8903

SHA1
2a29043465241e4fe2e3db68daee91de771c6c6f

SHA256
f8b329583089521ebd33d567ba2bae3901f3b95790b8fdebdff85edc532655f9

SHA512
9aafd761904fef1a2018bac01e51f3a66744985d048037f0a36594c945145f21a4cf43b62168c71535f866aeef0301a088605ab1f15a21d7d7c3e9a2cbfc6cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7aa105c08efae6cc9d1cc59b3e72652d

SHA1
fce4d39e11014164395ff4db3e7a969417a20400

SHA256
7b7ceb94c24a890b92c5260d791e4f19e7b0811e53fc0e131c7838dfca02974f

SHA512
9659823a4add4bc632dcb406a5d1c080deb1449d5486eeeeaf4460c99c36079dc358606ae264efd2ffbe608ed83522e73328ac7dc2da69c5a09d99a013334f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7aa105c08efae6cc9d1cc59b3e72652d

SHA1
fce4d39e11014164395ff4db3e7a969417a20400

SHA256
7b7ceb94c24a890b92c5260d791e4f19e7b0811e53fc0e131c7838dfca02974f

SHA512
9659823a4add4bc632dcb406a5d1c080deb1449d5486eeeeaf4460c99c36079dc358606ae264efd2ffbe608ed83522e73328ac7dc2da69c5a09d99a013334f97

Download Submit
C:\Users\Admin\Desktop\_Readme_.txt
MD5
b5ecceb8ecd91574dbd6da6f0dd50426

SHA1
eae3d1ac3b4e3d937ca7724548f890daffe1d85d

SHA256
f9fa38d056242f3086b2fde741a66539fb35aafbc721ac25010f94cc666532ab

SHA512
7de8013df93e7827bbe6b4f0aa6b35b8d83eec6297151d4357bb17244f257201edbf2fa2cef8523e938627c61cd058a91b6fc6fe283fcc60dad7ee569dab1e98

Download Submit
memory/680-167-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-151-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-159-0x00000256D72B0000-0x00000256D72D2000-memory.dmp

Filesize
136KB

Download
memory/680-149-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-155-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-157-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-166-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-215-0x00000256BCC76000-0x00000256BCC78000-memory.dmp

Filesize
8KB

Download
memory/680-160-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-192-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-187-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-186-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-184-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-182-0x00000256BCC73000-0x00000256BCC75000-memory.dmp

Filesize
8KB

Download
memory/680-181-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-178-0x00000256BCC70000-0x00000256BCC72000-memory.dmp

Filesize
8KB

Download
memory/680-153-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-147-0x0000000000000000-mapping.dmp

Download
memory/680-170-0x00000256BCB90000-0x00000256BCB92000-memory.dmp

Filesize
8KB

Download
memory/680-169-0x00000256D7DA0000-0x00000256D7E16000-memory.dmp

Filesize
472KB

Download
memory/748-248-0x0000014B869F0000-0x0000014B869F2000-memory.dmp

Filesize
8KB

Download
memory/748-259-0x0000014B869F6000-0x0000014B869F8000-memory.dmp

Filesize
8KB

Download
memory/748-238-0x0000000000000000-mapping.dmp

Download
memory/748-254-0x0000014BA33A0000-0x0000014BA3416000-memory.dmp

Filesize
472KB

Download
memory/748-246-0x0000014BA28B0000-0x0000014BA28D2000-memory.dmp

Filesize
136KB

Download
memory/748-249-0x0000014B869F3000-0x0000014B869F5000-memory.dmp

Filesize
8KB

Download
memory/1036-116-0x0000000000000000-mapping.dmp

Download
memory/1532-219-0x0000000000000000-mapping.dmp

Download
memory/1572-257-0x0000000000000000-mapping.dmp

Download
memory/2016-176-0x0000000000000000-mapping.dmp

Download
memory/2064-146-0x000001AA26456000-0x000001AA26458000-memory.dmp

Filesize
8KB

Download
memory/2064-126-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-117-0x0000000000000000-mapping.dmp

Download
memory/2064-119-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-118-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-120-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-121-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-122-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-123-0x000001AA26450000-0x000001AA26452000-memory.dmp

Filesize
8KB

Download
memory/2064-124-0x000001AA26453000-0x000001AA26455000-memory.dmp

Filesize
8KB

Download
memory/2064-125-0x000001AA0DE80000-0x000001AA0DEA2000-memory.dmp

Filesize
136KB

Download
memory/2064-130-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-127-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-145-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-128-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-140-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-129-0x000001AA28E70000-0x000001AA28EE6000-memory.dmp

Filesize
472KB

Download
memory/2064-136-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-139-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2064-137-0x000001AA0C2D0000-0x000001AA0C2D2000-memory.dmp

Filesize
8KB

Download
memory/2208-193-0x0000000000000000-mapping.dmp

Download
memory/2532-197-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

Filesize
8KB

Download
memory/2532-216-0x00000272C2130000-0x00000272C2132000-memory.dmp

Filesize
8KB

Download
memory/2532-217-0x00000272C2133000-0x00000272C2135000-memory.dmp

Filesize
8KB

Download
memory/2532-194-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

Filesize
8KB

Download
memory/2532-195-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

Filesize
8KB

Download
memory/2532-196-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

Filesize
8KB

Download
memory/2532-191-0x0000000000000000-mapping.dmp

Download
memory/2532-198-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

Filesize
8KB

Download
memory/2532-199-0x00000272DC5A0000-0x00000272DC5C2000-memory.dmp

Filesize
136KB

Download
memory/2532-200-0x00000272C05B0000-0x00000272C05B2000-memory.dmp

Filesize
8KB

Download
memory/2532-210-0x00000272DD090000-0x00000272DD106000-memory.dmp

Filesize
472KB

Download
memory/2652-154-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-164-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-220-0x000001F83A4F6000-0x000001F83A4F8000-memory.dmp

Filesize
8KB

Download
memory/2652-180-0x000001F83A4F0000-0x000001F83A4F2000-memory.dmp

Filesize
8KB

Download
memory/2652-163-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-144-0x0000000000000000-mapping.dmp

Download
memory/2652-161-0x000001F854B90000-0x000001F854BB2000-memory.dmp

Filesize
136KB

Download
memory/2652-183-0x000001F83A4F3000-0x000001F83A4F5000-memory.dmp

Filesize
8KB

Download
memory/2652-165-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-156-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-158-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-168-0x000001F8556E0000-0x000001F855756000-memory.dmp

Filesize
472KB

Download
memory/2652-150-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-171-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2652-152-0x000001F83A450000-0x000001F83A452000-memory.dmp

Filesize
8KB

Download
memory/2680-115-0x0000000000000000-mapping.dmp

Download
memory/3980-225-0x00000246F84A0000-0x00000246F8516000-memory.dmp

Filesize
472KB

Download
memory/3980-247-0x00000246DD426000-0x00000246DD428000-memory.dmp

Filesize
8KB

Download
memory/3980-203-0x00000246DB9B0000-0x00000246DB9B2000-memory.dmp

Filesize
8KB

Download
memory/3980-201-0x0000000000000000-mapping.dmp

Download
memory/3980-218-0x00000246DD420000-0x00000246DD422000-memory.dmp

Filesize
8KB

Download
memory/3980-222-0x00000246DD423000-0x00000246DD425000-memory.dmp

Filesize
8KB

Download
memory/3980-212-0x00000246DD3D0000-0x00000246DD3F2000-memory.dmp

Filesize
136KB

Download
memory/3980-204-0x00000246DB9B0000-0x00000246DB9B2000-memory.dmp

Filesize
8KB

Download