blackmoon | e03193692369abba7bce150aa3d954d6d72653b6eaa64da050ef0b9bbd3cf8b1

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
10-07-2022 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vape V4.08.exe
Size

12.3MB
MD5

8a6e94a3f25c16c3589b5d285241aea0
SHA1

621e46fa5c5f6c16a4335e4d9cc246b74b92b22a
SHA256

e03193692369abba7bce150aa3d954d6d72653b6eaa64da050ef0b9bbd3cf8b1
SHA512

eb9e8a7857c060d4283c93a2144d579d183859a6a40b1c0218c7b883571f0d38852710a7e2ad4f6da125ebd7036c594ba72a47f171c243fc74933d331b701571

Score

10^/10

blackmoon banker evasion persistence trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe	family_blackmoon
C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe	family_blackmoon
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp	family_blackmoon
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp	family_blackmoon

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

vape.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vape.exe
Executes dropped EXE 3 IoCs

Processes:

._cache_Vape V4.08.exeSynaptics.exevape.exe

pid process

1292 ._cache_Vape V4.08.exe
4664 Synaptics.exe
1832 vape.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vape.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

._cache_Vape V4.08.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Remote\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	._cache_Vape V4.08.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3588-143-0x0000000000DF0000-0x0000000000DFB000-memory.dmp	upx
behavioral2/memory/3588-153-0x0000000000DF0000-0x0000000000DFB000-memory.dmp	upx
behavioral2/memory/3548-151-0x0000000000E90000-0x0000000000E9B000-memory.dmp	upx
behavioral2/memory/3548-155-0x0000000000E90000-0x0000000000E9B000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vape.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vape.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vape.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Vape V4.08.exe._cache_Vape V4.08.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Vape V4.08.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	._cache_Vape V4.08.exe

Loads dropped DLL 2 IoCs

Processes:

svchost.exerundll32.exe

pid process

3588 svchost.exe
3548 rundll32.exe

pid	process
3588	svchost.exe
3548	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Vape V4.08.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Vape V4.08.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vape.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vape.exe
Drops file in System32 directory 1 IoCs

Processes:

._cache_Vape V4.08.exe

description ioc process

File created C:\Windows\SysWOW64\Delete00.bat ._cache_Vape V4.08.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vape.exe

pid process

1832 vape.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2276 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2000 1832 WerFault.exe vape.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vape.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Delete00.bat	._cache_Vape V4.08.exe

pid	process
1832	vape.exe

pid	process
2276	sc.exe

pid	pid_target	process	target process
2000	1832	WerFault.exe	vape.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

Vape V4.08.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Vape V4.08.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3516 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1476 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Vape V4.08.exe

pid	process
3516	PING.EXE

pid	process
1476	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Vape V4.08.exesvchost.exerundll32.exe

pid	process
1292	._cache_Vape V4.08.exe
1292	._cache_Vape V4.08.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3548	rundll32.exe
3548	rundll32.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe
3588	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

._cache_Vape V4.08.exesvchost.exerundll32.exevape.exe

description	pid	process
Token: SeDebugPrivilege	1292	._cache_Vape V4.08.exe
Token: SeDebugPrivilege	3588	svchost.exe
Token: SeDebugPrivilege	3548	rundll32.exe
Token: SeDebugPrivilege	1832	vape.exe
Token: SeDebugPrivilege	1832	vape.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1476 EXCEL.EXE
1476 EXCEL.EXE
1476 EXCEL.EXE
1476 EXCEL.EXE
1476 EXCEL.EXE

pid	process
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE
1476	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Vape V4.08.exe._cache_Vape V4.08.exesvchost.execmd.exe

description	pid	process	target process
PID 2300 wrote to memory of 1292	2300	Vape V4.08.exe	._cache_Vape V4.08.exe
PID 2300 wrote to memory of 1292	2300	Vape V4.08.exe	._cache_Vape V4.08.exe
PID 2300 wrote to memory of 1292	2300	Vape V4.08.exe	._cache_Vape V4.08.exe
PID 2300 wrote to memory of 4664	2300	Vape V4.08.exe	Synaptics.exe
PID 2300 wrote to memory of 4664	2300	Vape V4.08.exe	Synaptics.exe
PID 2300 wrote to memory of 4664	2300	Vape V4.08.exe	Synaptics.exe
PID 1292 wrote to memory of 1832	1292	._cache_Vape V4.08.exe	vape.exe
PID 1292 wrote to memory of 1832	1292	._cache_Vape V4.08.exe	vape.exe
PID 1292 wrote to memory of 2276	1292	._cache_Vape V4.08.exe	sc.exe
PID 1292 wrote to memory of 2276	1292	._cache_Vape V4.08.exe	sc.exe
PID 1292 wrote to memory of 2276	1292	._cache_Vape V4.08.exe	sc.exe
PID 1292 wrote to memory of 4460	1292	._cache_Vape V4.08.exe	cmd.exe
PID 1292 wrote to memory of 4460	1292	._cache_Vape V4.08.exe	cmd.exe
PID 1292 wrote to memory of 4460	1292	._cache_Vape V4.08.exe	cmd.exe
PID 3588 wrote to memory of 3600	3588	svchost.exe	rundll32.exe
PID 3588 wrote to memory of 3600	3588	svchost.exe	rundll32.exe
PID 3588 wrote to memory of 3600	3588	svchost.exe	rundll32.exe
PID 3588 wrote to memory of 3548	3588	svchost.exe	rundll32.exe
PID 3588 wrote to memory of 3548	3588	svchost.exe	rundll32.exe
PID 3588 wrote to memory of 3548	3588	svchost.exe	rundll32.exe
PID 4460 wrote to memory of 3516	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 3516	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 3516	4460	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Vape V4.08.exe
"C:\Users\Admin\AppData\Local\Temp\Vape V4.08.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe"
  2⤵
  - Executes dropped EXE
  - Sets DLL path for service in the registry
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Roaming\vape.exe
    "C:\Users\Admin\AppData\Roaming\vape.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1832 -s 588
      4⤵
      Program crash
      PID:2000
- - C:\Windows\SysWOW64\sc.exe
    sc failure Remote reset= 86400 actions= restart/1000
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\\Delete00.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3516
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  PID:4664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |3588
  2⤵
  PID:3600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp,init default |3588
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1832 -ip 1832
1⤵
PID:3788

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp

Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
C:\ProgramData\Microsoft\Windows\GameExplorer\Remote.hlp

Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
754KB

MD5
f9eb220b1ce902c3c8a7d13192132801

SHA1
f40ae4e3ceb6b424300831b09344b28d56f8725f

SHA256
5829f18735327892cf44de73b69917a452df54d396015f15fc2d8ac23e42f676

SHA512
e6ac2102e5df01933c40a9b7c071e504ae578c95e432ab7a42f0ce017b9368e37c1db558be4639f51f4551b0f1ad08e00d342ca536757b08d2d6681fbf4632b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe

Filesize
11.5MB

MD5
82fef60d0199e8419392666b0a91c5d9

SHA1
c671905ef7452ab527654ccc9b765aef6822ffaf

SHA256
aa8e053d42b18d924b7870a1956e0f91dfb04a39dad285c5f23a7a699004143e

SHA512
86ffd6a9fc857aa363b6edc53ef469d3203748de06cde156bce1e41d0a403b72ff8a2d7a79f468fc16473ae6c548a1ddc22f27c9a9021099dc998b4f50a2d047

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Vape V4.08.exe

Filesize
11.5MB

MD5
82fef60d0199e8419392666b0a91c5d9

SHA1
c671905ef7452ab527654ccc9b765aef6822ffaf

SHA256
aa8e053d42b18d924b7870a1956e0f91dfb04a39dad285c5f23a7a699004143e

SHA512
86ffd6a9fc857aa363b6edc53ef469d3203748de06cde156bce1e41d0a403b72ff8a2d7a79f468fc16473ae6c548a1ddc22f27c9a9021099dc998b4f50a2d047

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIDiN2KX.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\vape.exe

Filesize
10.2MB

MD5
1f776b1fa0b6f942c3ee927f98454d6d

SHA1
e0b67b2f3990dd15949ba5aa4a0e2e46f482af51

SHA256
1e960b61f77a0cd31e4947a5d9d1475d7e90d24b122f112fa7c402ccba267f08

SHA512
fc7d5809f8f993eea380eb97cf26e31d9aa09e66d569e5d2a7a14606154f9b198967183b1fe7181a1d76d8d03816c418ac0e7afffb590b70409cb3e42ddf81eb

Download Submit
C:\Users\Admin\AppData\Roaming\vape.exe

Filesize
10.2MB

MD5
1f776b1fa0b6f942c3ee927f98454d6d

SHA1
e0b67b2f3990dd15949ba5aa4a0e2e46f482af51

SHA256
1e960b61f77a0cd31e4947a5d9d1475d7e90d24b122f112fa7c402ccba267f08

SHA512
fc7d5809f8f993eea380eb97cf26e31d9aa09e66d569e5d2a7a14606154f9b198967183b1fe7181a1d76d8d03816c418ac0e7afffb590b70409cb3e42ddf81eb

Download Submit
C:\Windows\SysWOW64\Delete00.bat

Filesize
119B

MD5
1a36b583a9ef6c9b5f86eb08b185cb35

SHA1
3e393270346c0a2abe0b9ed8a69fee1ad5376656

SHA256
80722732cc6abaa35a906088a6fb5a1ec08dd0be3b323be8bf174717e839fe23

SHA512
4754e7070ff76966ce27ba224b6b7ad14a41cc8293cb3e8bd65fe3eae23b70f0896561ad52481ca2876bda23714595829295cb885e2b194e9f45f8f831cf2eb5

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

Filesize
928KB

MD5
131bf7836fa24a3e155ecc1e0434caab

SHA1
ae1793905e4f21f395a9f785cef101de4b12d454

SHA256
41bf85654334e16abab4294f1d25ba6c247be8f369448238e15b77e9c726e2d7

SHA512
b2dfe605d900f62a5c62d45b97aeb4306fd57125c1fdb0fb600dad722ac28fda06365be4279a593390064339e97416d3f9fdb1c09bc11bb26f94f17a5c1c2035

Download Submit
memory/1292-130-0x0000000000000000-mapping.dmp

Download
memory/1476-163-0x00007FF81B520000-0x00007FF81B530000-memory.dmp

Filesize
64KB

Download
memory/1476-164-0x00007FF81B520000-0x00007FF81B530000-memory.dmp

Filesize
64KB

Download
memory/1476-162-0x00007FF81D730000-0x00007FF81D740000-memory.dmp

Filesize
64KB

Download
memory/1476-161-0x00007FF81D730000-0x00007FF81D740000-memory.dmp

Filesize
64KB

Download
memory/1476-160-0x00007FF81D730000-0x00007FF81D740000-memory.dmp

Filesize
64KB

Download
memory/1476-159-0x00007FF81D730000-0x00007FF81D740000-memory.dmp

Filesize
64KB

Download
memory/1476-158-0x00007FF81D730000-0x00007FF81D740000-memory.dmp

Filesize
64KB

Download
memory/1832-148-0x00007FF6E3AE0000-0x00007FF6E4DC3000-memory.dmp

Filesize
18.9MB

Download
memory/1832-150-0x00007FF6E3AE0000-0x00007FF6E4DC3000-memory.dmp

Filesize
18.9MB

Download
memory/1832-152-0x00007FF85D6B0000-0x00007FF85D8A5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-136-0x0000000000000000-mapping.dmp

Download
memory/1832-144-0x00007FF6E3AE0000-0x00007FF6E4DC3000-memory.dmp

Filesize
18.9MB

Download
memory/1832-156-0x00007FF85D6B0000-0x00007FF85D8A5000-memory.dmp

Filesize
2.0MB

Download
memory/1832-157-0x00007FF6E3AE0000-0x00007FF6E4DC3000-memory.dmp

Filesize
18.9MB

Download
memory/2276-138-0x0000000000000000-mapping.dmp

Download
memory/3516-154-0x0000000000000000-mapping.dmp

Download
memory/3548-147-0x0000000000000000-mapping.dmp

Download
memory/3548-155-0x0000000000E90000-0x0000000000E9B000-memory.dmp

Filesize
44KB

Download
memory/3548-151-0x0000000000E90000-0x0000000000E9B000-memory.dmp

Filesize
44KB

Download
memory/3588-143-0x0000000000DF0000-0x0000000000DFB000-memory.dmp

Filesize
44KB

Download
memory/3588-153-0x0000000000DF0000-0x0000000000DFB000-memory.dmp

Filesize
44KB

Download
memory/3600-145-0x0000000000000000-mapping.dmp

Download
memory/4460-142-0x0000000000000000-mapping.dmp

Download
memory/4664-133-0x0000000000000000-mapping.dmp

Download