oski | 18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472

Analysis

max time kernel
118s
max time network
149s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-01-2022 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Size

867KB
MD5

39bfd2ce7cffeafc8f4d85d89fd6f072
SHA1

9d0df13ef8de579a2bbfba88e938a836ffab1069
SHA256

18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472
SHA512

d2e4b81133cb427a52ba10cbde23ea16ed33dc0c57affc55afa0ca5bbf68e03841e258ca153c5f217fe0f4f483f3705882eb556718f9c98f508db7144b7b51bb

Score

10^/10

oski stormkitty collection infostealer persistence spyware stealer vmprotect

Malware Config

Extracted

Family

oski

pplonline.org/Cgi/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1180-133-0x0000000004AC0000-0x0000000004B6A000-memory.dmp	family_stormkitty
behavioral2/memory/1180-140-0x00000000050A0000-0x0000000005148000-memory.dmp	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\chormuim.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\chormuim.exe	family_stormkitty
behavioral2/memory/3584-146-0x0000000000BC0000-0x0000000000C1E000-memory.dmp	family_stormkitty
behavioral2/memory/3584-147-0x0000000000BC0000-0x0000000000C1E000-memory.dmp	family_stormkitty
behavioral2/memory/3584-149-0x0000000001380000-0x0000000001404000-memory.dmp	family_stormkitty

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

svchoste.exedll.exetaskshell.exechormuimii.exechormuim.exe

pid process

2784 svchoste.exe
3508 dll.exe
520 taskshell.exe
1180 chormuimii.exe
3584 chormuim.exe

pid	process
2784	svchoste.exe
3508	dll.exe
520	taskshell.exe
1180	chormuimii.exe
3584	chormuim.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3584-164-0x000000001C580000-0x000000001C604000-memory.dmp	vmprotect
behavioral2/memory/3584-165-0x000000001C580000-0x000000001C604000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll	vmprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

chormuim.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	chormuim.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	chormuim.exe
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	chormuim.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dll.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMI Update Service = "C:\\ProgramData\\AMD Driver\\taskshell.exe"	dll.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com
30 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1044 2784 WerFault.exe svchoste.exe

flow	ioc
20	ip-api.com
30	icanhazip.com

pid	pid_target	process	target process
1044	2784	WerFault.exe	svchoste.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chormuim.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	chormuim.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	chormuim.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3508 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1208 taskkill.exe

pid	process
3508	timeout.exe

pid	process
1208	taskkill.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

dll.exeWerFault.exechormuim.exe

pid	process
3508	dll.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
1044	WerFault.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe
3584	chormuim.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

dll.exechormuim.exeWerFault.exemsiexec.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3508	dll.exe
Token: SeDebugPrivilege	3584	chormuim.exe
Token: SeRestorePrivilege	1044	WerFault.exe
Token: SeBackupPrivilege	1044	WerFault.exe
Token: SeDebugPrivilege	1044	WerFault.exe
Token: SeSecurityPrivilege	1528	msiexec.exe
Token: SeDebugPrivilege	1208	taskkill.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exedll.exechormuimii.exechormuim.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2452 wrote to memory of 2784	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	svchoste.exe
PID 2452 wrote to memory of 2784	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	svchoste.exe
PID 2452 wrote to memory of 2784	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	svchoste.exe
PID 2452 wrote to memory of 3508	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	dll.exe
PID 2452 wrote to memory of 3508	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	dll.exe
PID 3508 wrote to memory of 520	3508	dll.exe	taskshell.exe
PID 3508 wrote to memory of 520	3508	dll.exe	taskshell.exe
PID 3508 wrote to memory of 520	3508	dll.exe	taskshell.exe
PID 2452 wrote to memory of 1180	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	chormuimii.exe
PID 2452 wrote to memory of 1180	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	chormuimii.exe
PID 2452 wrote to memory of 1180	2452	18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe	chormuimii.exe
PID 1180 wrote to memory of 3584	1180	chormuimii.exe	chormuim.exe
PID 1180 wrote to memory of 3584	1180	chormuimii.exe	chormuim.exe
PID 3584 wrote to memory of 3000	3584	chormuim.exe	cmd.exe
PID 3584 wrote to memory of 3000	3584	chormuim.exe	cmd.exe
PID 3000 wrote to memory of 3644	3000	cmd.exe	chcp.com
PID 3000 wrote to memory of 3644	3000	cmd.exe	chcp.com
PID 3000 wrote to memory of 2184	3000	cmd.exe	netsh.exe
PID 3000 wrote to memory of 2184	3000	cmd.exe	netsh.exe
PID 3000 wrote to memory of 1048	3000	cmd.exe	findstr.exe
PID 3000 wrote to memory of 1048	3000	cmd.exe	findstr.exe
PID 3584 wrote to memory of 2756	3584	chormuim.exe	cmd.exe
PID 3584 wrote to memory of 2756	3584	chormuim.exe	cmd.exe
PID 2756 wrote to memory of 2216	2756	cmd.exe	chcp.com
PID 2756 wrote to memory of 2216	2756	cmd.exe	chcp.com
PID 2756 wrote to memory of 3600	2756	cmd.exe	netsh.exe
PID 2756 wrote to memory of 3600	2756	cmd.exe	netsh.exe
PID 3584 wrote to memory of 1432	3584	chormuim.exe	cmd.exe
PID 3584 wrote to memory of 1432	3584	chormuim.exe	cmd.exe
PID 1432 wrote to memory of 2764	1432	cmd.exe	chcp.com
PID 1432 wrote to memory of 2764	1432	cmd.exe	chcp.com
PID 1432 wrote to memory of 1208	1432	cmd.exe	taskkill.exe
PID 1432 wrote to memory of 1208	1432	cmd.exe	taskkill.exe
PID 1432 wrote to memory of 3508	1432	cmd.exe	timeout.exe
PID 1432 wrote to memory of 3508	1432	cmd.exe	timeout.exe

outlook_office_path 1 IoCs

Processes:

chormuim.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	chormuim.exe

outlook_win_path 1 IoCs

Processes:

chormuim.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	chormuim.exe

C:\Users\Admin\AppData\Local\Temp\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
"C:\Users\Admin\AppData\Local\Temp\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\svchoste.exe
"C:\Users\Admin\AppData\Local\Temp\svchoste.exe"
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1244
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Users\Admin\AppData\Local\Temp\dll.exe
"C:\Users\Admin\AppData\Local\Temp\dll.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508

C:\ProgramData\AMD Driver\taskshell.exe
"C:\ProgramData\AMD Driver\taskshell.exe"
3⤵
- Executes dropped EXE
PID:520

C:\Users\Admin\AppData\Local\Temp\chormuimii.exe
"C:\Users\Admin\AppData\Local\Temp\chormuimii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\chormuim.exe
"C:\Users\Admin\AppData\Local\Temp\chormuim.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:3584

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:3644

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:2184

C:\Windows\system32\findstr.exe
findstr All
5⤵
PID:1048

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2216

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:3600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp2D9D.tmp.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:2764

C:\Windows\system32\taskkill.exe
TaskKill /F /IM 3584
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\system32\timeout.exe
Timeout /T 2 /Nobreak
5⤵
- Delays execution with timeout.exe
PID:3508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMD Driver\taskshell.exe
MD5
b335eeb40d0443dadcdefc578a23b5da

SHA1
67af99514e1230182e4dc463f1c6ba42047ad213

SHA256
5d67a694351d9bdb571ef7b9217e7e05ef88b0f650bbd539217d3a686c077586

SHA512
0e9e12f32f5011c4b8b09a59b9e58c2811142ff9541428b6ebde07b6e2f4adf41a0d65957d824712df27769e5ae9281d300f76439576100b362acd00fa09e114

Download Submit
C:\ProgramData\AMD Driver\taskshell.exe
MD5
b335eeb40d0443dadcdefc578a23b5da

SHA1
67af99514e1230182e4dc463f1c6ba42047ad213

SHA256
5d67a694351d9bdb571ef7b9217e7e05ef88b0f650bbd539217d3a686c077586

SHA512
0e9e12f32f5011c4b8b09a59b9e58c2811142ff9541428b6ebde07b6e2f4adf41a0d65957d824712df27769e5ae9281d300f76439576100b362acd00fa09e114

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnonFileApi.dll
MD5
7a2d5deab61f043394a510f4e2c0866f

SHA1
ca16110c9cf6522cd7bea32895fd0f697442849b

SHA256
75db945388f62f2de3d3eaae911f49495f289244e2fec9b25455c2d686989f69

SHA512
b66b0bf227762348a5ede3c2578d5bc089c222f632a705241bcc63d56620bef238c67ca2bd400ba7874b2bc168e279673b0e105b73282bc69aa21a7fd34bafe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
MD5
6d1c62ec1c2ef722f49b2d8dd4a4df16

SHA1
1bb08a979b7987bc7736a8cfa4779383cb0ecfa6

SHA256
00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c

SHA512
c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\chormuim.exe
MD5
69450ec78e3aa15178a8a90079551137

SHA1
c77904954955906c1792b956cb58be00a9ccb140

SHA256
6247f4af4cef102c5fd74f4544ff0d9805a9f3e3c1ece327c5cc4d674f06c7b1

SHA512
df108ea9a113476a4c891c6f52fb5f2e0c9c128660cc476f106333ddc81fb9cdc766971289d0ea7ceaad0dddecc531cc1fab7c3f6b35ad0bda546a4d450496f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chormuim.exe
MD5
69450ec78e3aa15178a8a90079551137

SHA1
c77904954955906c1792b956cb58be00a9ccb140

SHA256
6247f4af4cef102c5fd74f4544ff0d9805a9f3e3c1ece327c5cc4d674f06c7b1

SHA512
df108ea9a113476a4c891c6f52fb5f2e0c9c128660cc476f106333ddc81fb9cdc766971289d0ea7ceaad0dddecc531cc1fab7c3f6b35ad0bda546a4d450496f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\chormuimii.exe
MD5
535bd46107780dbb3425e23c175e85f9

SHA1
f2ef993fabd5fb2172dccc6f20033b0565c04fa0

SHA256
37d460cea9227867807e21051990ed580d9bafc35746dd1f6ea48e424438ec2d

SHA512
82ba3c603c9d0bd3ae80db7575e978552d3073c33c2f4957238e4f8721b6d7fb5ee4ff36143d2e62a8e48eda7aeb4ee1a1afcfc2ed8ccf2ab3eaf18827382646

Download Submit
C:\Users\Admin\AppData\Local\Temp\chormuimii.exe
MD5
535bd46107780dbb3425e23c175e85f9

SHA1
f2ef993fabd5fb2172dccc6f20033b0565c04fa0

SHA256
37d460cea9227867807e21051990ed580d9bafc35746dd1f6ea48e424438ec2d

SHA512
82ba3c603c9d0bd3ae80db7575e978552d3073c33c2f4957238e4f8721b6d7fb5ee4ff36143d2e62a8e48eda7aeb4ee1a1afcfc2ed8ccf2ab3eaf18827382646

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe
MD5
461cbdd5b0d2801a736e21aef6c7ced3

SHA1
62ac275945407dc00402eeb2272fe1e47fb6d7e0

SHA256
9eb507b9bff383e0c96f4d535352978a801b02e4c00c8416882a3f4f7a625595

SHA512
85f6513d0fabb5d3bb9e045c8a3c0a11f833b33ff1be8adcdb76e61d44216c7cae14cef594747bbdb51fce755814ade02f4db60a2f2319b7e5921624bd7b0abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dll.exe
MD5
461cbdd5b0d2801a736e21aef6c7ced3

SHA1
62ac275945407dc00402eeb2272fe1e47fb6d7e0

SHA256
9eb507b9bff383e0c96f4d535352978a801b02e4c00c8416882a3f4f7a625595

SHA512
85f6513d0fabb5d3bb9e045c8a3c0a11f833b33ff1be8adcdb76e61d44216c7cae14cef594747bbdb51fce755814ade02f4db60a2f2319b7e5921624bd7b0abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchoste.exe
MD5
9f209b4720986407a79bd4c598087587

SHA1
ba52f693587ef169d590351639b4c810dccd8427

SHA256
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3

SHA512
fce9032027d61ec4026b2dc4f762d7d05e1ac820b1dc6ba6ad6b8631a040389fc8a838a9a1778992263430411d38ecb60085f87454bdefff7be3a2a0345c122e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchoste.exe
MD5
9f209b4720986407a79bd4c598087587

SHA1
ba52f693587ef169d590351639b4c810dccd8427

SHA256
76488918853ce10b808bd2fad4f8c37ff9ca59f321c03c7700e0771f922113d3

SHA512
fce9032027d61ec4026b2dc4f762d7d05e1ac820b1dc6ba6ad6b8631a040389fc8a838a9a1778992263430411d38ecb60085f87454bdefff7be3a2a0345c122e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2D9D.tmp.bat
MD5
4c2b13f238a2801193021f4c6f6515b7

SHA1
f12f2e97aed8a9b2f7ded6fadb67e9fd7c3586fa

SHA256
13ccb8b207017c10d9184600ff8a4ff5369a2b17499aac8982ef2b12a19f48de

SHA512
bad26b345244dbb5b30d8c0a055d3a31771b354329015f52a6cfa58b4b4762b6f5d959bb05d356937b5dfb78e14de7092a7ac43d9eaa6fc63bbfed04ae99d38c

Download Submit
memory/520-148-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/520-142-0x0000000005D50000-0x0000000005D5A000-memory.dmp

Filesize
40KB

Download
memory/520-131-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/520-138-0x0000000005730000-0x0000000005C2E000-memory.dmp

Filesize
5.0MB

Download
memory/520-125-0x0000000000000000-mapping.dmp

Download
memory/520-141-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download
memory/520-135-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download
memory/1048-155-0x0000000000000000-mapping.dmp

Download
memory/1180-134-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/1180-137-0x0000000004B93000-0x0000000004B94000-memory.dmp

Filesize
4KB

Download
memory/1180-139-0x0000000004BA0000-0x000000000509E000-memory.dmp

Filesize
5.0MB

Download
memory/1180-136-0x0000000004B92000-0x0000000004B93000-memory.dmp

Filesize
4KB

Download
memory/1180-140-0x00000000050A0000-0x0000000005148000-memory.dmp

Filesize
672KB

Download
memory/1180-133-0x0000000004AC0000-0x0000000004B6A000-memory.dmp

Filesize
680KB

Download
memory/1180-128-0x0000000000000000-mapping.dmp

Download
memory/1208-171-0x0000000000000000-mapping.dmp

Download
memory/1432-168-0x0000000000000000-mapping.dmp

Download
memory/1528-157-0x000001CC596F0000-0x000001CC596F2000-memory.dmp

Filesize
8KB

Download
memory/1528-156-0x000001CC596F0000-0x000001CC596F2000-memory.dmp

Filesize
8KB

Download
memory/2184-154-0x0000000000000000-mapping.dmp

Download
memory/2216-161-0x0000000000000000-mapping.dmp

Download
memory/2452-132-0x000000001B9E0000-0x000000001B9E2000-memory.dmp

Filesize
8KB

Download
memory/2452-115-0x0000000000CD0000-0x0000000000DAE000-memory.dmp

Filesize
888KB

Download
memory/2452-116-0x0000000000CD0000-0x0000000000DAE000-memory.dmp

Filesize
888KB

Download
memory/2756-160-0x0000000000000000-mapping.dmp

Download
memory/2764-170-0x0000000000000000-mapping.dmp

Download
memory/2784-117-0x0000000000000000-mapping.dmp

Download
memory/3000-152-0x0000000000000000-mapping.dmp

Download
memory/3508-123-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/3508-122-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/3508-119-0x0000000000000000-mapping.dmp

Download
memory/3508-172-0x0000000000000000-mapping.dmp

Download
memory/3584-149-0x0000000001380000-0x0000000001404000-memory.dmp

Filesize
528KB

Download
memory/3584-167-0x0000000001070000-0x000000000107A000-memory.dmp

Filesize
40KB

Download
memory/3584-143-0x0000000000000000-mapping.dmp

Download
memory/3584-163-0x000000001B860000-0x000000001B8D6000-memory.dmp

Filesize
472KB

Download
memory/3584-164-0x000000001C580000-0x000000001C604000-memory.dmp

Filesize
528KB

Download
memory/3584-165-0x000000001C580000-0x000000001C604000-memory.dmp

Filesize
528KB

Download
memory/3584-166-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3584-158-0x000000001B942000-0x000000001B944000-memory.dmp

Filesize
8KB

Download
memory/3584-159-0x000000001B944000-0x000000001B946000-memory.dmp

Filesize
8KB

Download
memory/3584-146-0x0000000000BC0000-0x0000000000C1E000-memory.dmp

Filesize
376KB

Download
memory/3584-151-0x000000001B940000-0x000000001B942000-memory.dmp

Filesize
8KB

Download
memory/3584-150-0x0000000001030000-0x0000000001036000-memory.dmp

Filesize
24KB

Download
memory/3584-147-0x0000000000BC0000-0x0000000000C1E000-memory.dmp

Filesize
376KB

Download
memory/3600-162-0x0000000000000000-mapping.dmp

Download
memory/3644-153-0x0000000000000000-mapping.dmp

Download