sality | 6d8d2c284235cac81763ee58e196b2f0b1e865cf192de04a64a4c3ecb350c85c

Analysis

max time kernel
140s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
11-02-2022 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ScriptCryptor.exe
Size

528KB
MD5

55215f0ef9972f69b60f3f21a27a07d0
SHA1

3fd5fb6f8bcd8fa33604a24ae0c856d451fba539
SHA256

6d8d2c284235cac81763ee58e196b2f0b1e865cf192de04a64a4c3ecb350c85c
SHA512

3367a528ec827b0d28c748c8e5304d883586685cf1dccf6abce095db01e3d36f16f486c0fd21984ca7e593c4e4962dee4dc71f0fa4eeb097d8e1972c559e9e6d

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	ScriptCryptor.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	ScriptCryptor.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	ScriptCryptor.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4128-130-0x00000000024F0000-0x000000000357E000-memory.dmp	upx
behavioral2/memory/4128-131-0x00000000024F0000-0x000000000357E000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	ScriptCryptor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	ScriptCryptor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	ScriptCryptor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	ScriptCryptor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	ScriptCryptor.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	ScriptCryptor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	ScriptCryptor.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ScriptCryptor.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	ScriptCryptor.exe
File opened (read-only)	\??\I:	ScriptCryptor.exe
File opened (read-only)	\??\P:	ScriptCryptor.exe
File opened (read-only)	\??\S:	ScriptCryptor.exe
File opened (read-only)	\??\V:	ScriptCryptor.exe
File opened (read-only)	\??\X:	ScriptCryptor.exe
File opened (read-only)	\??\E:	ScriptCryptor.exe
File opened (read-only)	\??\F:	ScriptCryptor.exe
File opened (read-only)	\??\J:	ScriptCryptor.exe
File opened (read-only)	\??\K:	ScriptCryptor.exe
File opened (read-only)	\??\O:	ScriptCryptor.exe
File opened (read-only)	\??\Q:	ScriptCryptor.exe
File opened (read-only)	\??\U:	ScriptCryptor.exe
File opened (read-only)	\??\G:	ScriptCryptor.exe
File opened (read-only)	\??\N:	ScriptCryptor.exe
File opened (read-only)	\??\W:	ScriptCryptor.exe
File opened (read-only)	\??\Y:	ScriptCryptor.exe
File opened (read-only)	\??\Z:	ScriptCryptor.exe
File opened (read-only)	\??\L:	ScriptCryptor.exe
File opened (read-only)	\??\M:	ScriptCryptor.exe
File opened (read-only)	\??\R:	ScriptCryptor.exe
File opened (read-only)	\??\T:	ScriptCryptor.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	ScriptCryptor.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	ScriptCryptor.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SYSTEM.INI	ScriptCryptor.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe
4128	ScriptCryptor.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe
Token: SeDebugPrivilege	4128	ScriptCryptor.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4128	ScriptCryptor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 760	4128	ScriptCryptor.exe	3
PID 4128 wrote to memory of 756	4128	ScriptCryptor.exe	76
PID 4128 wrote to memory of 1016	4128	ScriptCryptor.exe	5
PID 4128 wrote to memory of 2304	4128	ScriptCryptor.exe	49
PID 4128 wrote to memory of 2340	4128	ScriptCryptor.exe	48
PID 4128 wrote to memory of 2420	4128	ScriptCryptor.exe	47
PID 4128 wrote to memory of 3044	4128	ScriptCryptor.exe	16
PID 4128 wrote to memory of 1304	4128	ScriptCryptor.exe	15
PID 4128 wrote to memory of 3252	4128	ScriptCryptor.exe	14
PID 4128 wrote to memory of 3344	4128	ScriptCryptor.exe	13
PID 4128 wrote to memory of 3424	4128	ScriptCryptor.exe	12
PID 4128 wrote to memory of 3504	4128	ScriptCryptor.exe	25
PID 4128 wrote to memory of 3760	4128	ScriptCryptor.exe	45
PID 4128 wrote to memory of 3180	4128	ScriptCryptor.exe	26
PID 4128 wrote to memory of 4620	4128	ScriptCryptor.exe	38
PID 4128 wrote to memory of 2752	4128	ScriptCryptor.exe	28
PID 4128 wrote to memory of 2756	4128	ScriptCryptor.exe	27
PID 4128 wrote to memory of 760	4128	ScriptCryptor.exe	3
PID 4128 wrote to memory of 756	4128	ScriptCryptor.exe	76
PID 4128 wrote to memory of 1016	4128	ScriptCryptor.exe	5
PID 4128 wrote to memory of 2304	4128	ScriptCryptor.exe	49
PID 4128 wrote to memory of 2340	4128	ScriptCryptor.exe	48
PID 4128 wrote to memory of 2420	4128	ScriptCryptor.exe	47
PID 4128 wrote to memory of 3044	4128	ScriptCryptor.exe	16
PID 4128 wrote to memory of 1304	4128	ScriptCryptor.exe	15
PID 4128 wrote to memory of 3252	4128	ScriptCryptor.exe	14
PID 4128 wrote to memory of 3344	4128	ScriptCryptor.exe	13
PID 4128 wrote to memory of 3424	4128	ScriptCryptor.exe	12
PID 4128 wrote to memory of 3504	4128	ScriptCryptor.exe	25
PID 4128 wrote to memory of 3760	4128	ScriptCryptor.exe	45
PID 4128 wrote to memory of 3180	4128	ScriptCryptor.exe	26
PID 4128 wrote to memory of 4620	4128	ScriptCryptor.exe	38
PID 4128 wrote to memory of 2752	4128	ScriptCryptor.exe	28
PID 4128 wrote to memory of 760	4128	ScriptCryptor.exe	3
PID 4128 wrote to memory of 756	4128	ScriptCryptor.exe	76
PID 4128 wrote to memory of 1016	4128	ScriptCryptor.exe	5
PID 4128 wrote to memory of 2304	4128	ScriptCryptor.exe	49
PID 4128 wrote to memory of 2340	4128	ScriptCryptor.exe	48
PID 4128 wrote to memory of 2420	4128	ScriptCryptor.exe	47
PID 4128 wrote to memory of 3044	4128	ScriptCryptor.exe	16
PID 4128 wrote to memory of 1304	4128	ScriptCryptor.exe	15
PID 4128 wrote to memory of 3252	4128	ScriptCryptor.exe	14
PID 4128 wrote to memory of 3344	4128	ScriptCryptor.exe	13
PID 4128 wrote to memory of 3424	4128	ScriptCryptor.exe	12
PID 4128 wrote to memory of 3504	4128	ScriptCryptor.exe	25
PID 4128 wrote to memory of 3760	4128	ScriptCryptor.exe	45
PID 4128 wrote to memory of 3180	4128	ScriptCryptor.exe	26
PID 4128 wrote to memory of 4620	4128	ScriptCryptor.exe	38
PID 4128 wrote to memory of 2752	4128	ScriptCryptor.exe	28
PID 4128 wrote to memory of 760	4128	ScriptCryptor.exe	3
PID 4128 wrote to memory of 756	4128	ScriptCryptor.exe	76
PID 4128 wrote to memory of 1016	4128	ScriptCryptor.exe	5
PID 4128 wrote to memory of 2304	4128	ScriptCryptor.exe	49
PID 4128 wrote to memory of 2340	4128	ScriptCryptor.exe	48
PID 4128 wrote to memory of 2420	4128	ScriptCryptor.exe	47
PID 4128 wrote to memory of 3044	4128	ScriptCryptor.exe	16
PID 4128 wrote to memory of 1304	4128	ScriptCryptor.exe	15
PID 4128 wrote to memory of 3252	4128	ScriptCryptor.exe	14
PID 4128 wrote to memory of 3344	4128	ScriptCryptor.exe	13
PID 4128 wrote to memory of 3424	4128	ScriptCryptor.exe	12
PID 4128 wrote to memory of 3504	4128	ScriptCryptor.exe	25
PID 4128 wrote to memory of 3760	4128	ScriptCryptor.exe	45
PID 4128 wrote to memory of 3180	4128	ScriptCryptor.exe	26
PID 4128 wrote to memory of 4620	4128	ScriptCryptor.exe	38

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ScriptCryptor.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:760

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3424

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1304

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3044
- C:\Users\Admin\AppData\Local\Temp\ScriptCryptor.exe
  "C:\Users\Admin\AppData\Local\Temp\ScriptCryptor.exe"
  2⤵
  - Modifies firewall policy service
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4128

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3504

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3180

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2756

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2752

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3760

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2340

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2304

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3096

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-138-0x000001B71AB80000-0x000001B71AB90000-memory.dmp

Filesize
64KB

Download
memory/3096-140-0x000001B71DF60000-0x000001B71DF64000-memory.dmp

Filesize
16KB

Download
memory/3096-139-0x000001B71B360000-0x000001B71B370000-memory.dmp

Filesize
64KB

Download
memory/4128-133-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4128-134-0x000000000046B000-0x000000000046C000-memory.dmp

Filesize
4KB

Download
memory/4128-135-0x000000000046C000-0x000000000046D000-memory.dmp

Filesize
4KB

Download
memory/4128-136-0x0000000005A60000-0x0000000005A62000-memory.dmp

Filesize
8KB

Download
memory/4128-137-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/4128-130-0x00000000024F0000-0x000000000357E000-memory.dmp

Filesize
16.6MB

Download
memory/4128-132-0x0000000000760000-0x0000000000762000-memory.dmp

Filesize
8KB

Download
memory/4128-131-0x00000000024F0000-0x000000000357E000-memory.dmp

Filesize
16.6MB

Download
memory/4128-141-0x000000000046B000-0x000000000046C000-memory.dmp

Filesize
4KB

Download
memory/4128-142-0x000000000046C000-0x000000000046D000-memory.dmp

Filesize
4KB

Download