colibri | 182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
Size

6.4MB
MD5

a2ce6b8cc1683e6f1b0e4a8ad210b4d0
SHA1

c8bf69219d2fb1b6280425e58465493b0dfab0ae
SHA256

182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3
SHA512

4f24e9fc230d3ab5c4ac19798a7c058f2e713400dde817b1082ffdd5f284e23cb0257a7a732bcacaf4867189f21f3484a9a1fd9cb63c446db549dfed7748b070
SSDEEP

98304:x25qF8LaEDcvSRApmZCzz9+hMYPGTjdThYHP3fkfsu/t/0SSEvEy6k4kCFWiSHrw:wx

Score

10^/10

colibri build1 loader

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Signatures

Colibri Loader
A loader sold as MaaS first seen in August 2021.
loader colibri

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	4624	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4624	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4624	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	4624	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4624	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4624	schtasks.exe

Executes dropped EXE 5 IoCs

Processes:

Idle.exetmp8C56.tmp.exetmp8C56.tmp.exetmp99F3.tmp.exetmp99F3.tmp.exe

pid process

1724 Idle.exe
4116 tmp8C56.tmp.exe
4012 tmp8C56.tmp.exe
4880 tmp99F3.tmp.exe
4200 tmp99F3.tmp.exe

pid	process
1724	Idle.exe
4116	tmp8C56.tmp.exe
4012	tmp8C56.tmp.exe
4880	tmp99F3.tmp.exe
4200	tmp99F3.tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exeIdle.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Idle.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp8C56.tmp.exetmp99F3.tmp.exe

description	pid	process	target process
PID 4116 set thread context of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 4880 set thread context of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe

Drops file in Program Files directory 2 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

description	ioc	process
File created	C:\Program Files\7-Zip\spoolsv.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files\7-Zip\f3b6ecef712a24	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

Drops file in Windows directory 3 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\Idle.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\Idle.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Windows\Prefetch\ReadyBoot\6ccacd8608530f	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3172 schtasks.exe
1812 schtasks.exe
4512 schtasks.exe
952 schtasks.exe
4936 schtasks.exe
1820 schtasks.exe
Modifies registry class 1 IoCs

Processes:

Idle.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings Idle.exe

pid	process
3172	schtasks.exe
1812	schtasks.exe
4512	schtasks.exe
952	schtasks.exe
4936	schtasks.exe
1820	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Idle.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exeIdle.exe

pid	process
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe
1724	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exeIdle.exe

description pid process

Token: SeDebugPrivilege 4304 a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
Token: SeDebugPrivilege 1724 Idle.exe

description	pid	process
Token: SeDebugPrivilege	4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
Token: SeDebugPrivilege	1724	Idle.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exetmp8C56.tmp.exeIdle.exetmp99F3.tmp.exe

description	pid	process	target process
PID 4304 wrote to memory of 1724	4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	Idle.exe
PID 4304 wrote to memory of 1724	4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	Idle.exe
PID 4304 wrote to memory of 4116	4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	tmp8C56.tmp.exe
PID 4304 wrote to memory of 4116	4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	tmp8C56.tmp.exe
PID 4304 wrote to memory of 4116	4304	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	tmp8C56.tmp.exe
PID 4116 wrote to memory of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 4116 wrote to memory of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 4116 wrote to memory of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 4116 wrote to memory of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 4116 wrote to memory of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 4116 wrote to memory of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 4116 wrote to memory of 4012	4116	tmp8C56.tmp.exe	tmp8C56.tmp.exe
PID 1724 wrote to memory of 4880	1724	Idle.exe	tmp99F3.tmp.exe
PID 1724 wrote to memory of 4880	1724	Idle.exe	tmp99F3.tmp.exe
PID 1724 wrote to memory of 4880	1724	Idle.exe	tmp99F3.tmp.exe
PID 4880 wrote to memory of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe
PID 4880 wrote to memory of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe
PID 4880 wrote to memory of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe
PID 4880 wrote to memory of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe
PID 4880 wrote to memory of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe
PID 4880 wrote to memory of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe
PID 4880 wrote to memory of 4200	4880	tmp99F3.tmp.exe	tmp99F3.tmp.exe
PID 1724 wrote to memory of 808	1724	Idle.exe	WScript.exe
PID 1724 wrote to memory of 808	1724	Idle.exe	WScript.exe
PID 1724 wrote to memory of 4464	1724	Idle.exe	WScript.exe
PID 1724 wrote to memory of 4464	1724	Idle.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
"C:\Users\Admin\AppData\Local\Temp\a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\tmp8C56.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8C56.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\tmp8C56.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp8C56.tmp.exe"
3⤵
- Executes dropped EXE
PID:4012

C:\Windows\Prefetch\ReadyBoot\Idle.exe
"C:\Windows\Prefetch\ReadyBoot\Idle.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\tmp99F3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp99F3.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp99F3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp99F3.tmp.exe"
4⤵
- Executes dropped EXE
PID:4200

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83b58bd1-4ea9-480a-81e2-af4bba57cf28.vbs"
3⤵
PID:808

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b71f374-345c-4f69-8ff3-e11f9540890d.vbs"
3⤵
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3b71f374-345c-4f69-8ff3-e11f9540890d.vbs
Filesize
490B

MD5
2faca839cb00f6aac968bc214ad9ef1d

SHA1
6094ab08b74fb0b0479f0f53dd02301836bdef9a

SHA256
e916230286b5c62869d185648e9c643db434d4429f05d572b286d5a8b6d5446f

SHA512
750c2add68e127d5aedc9a9d6b1eda8a3dba82de46da6953e721e8b991a172c374482c04526f75ac7454297b8242a554b99b4119926a3bd76647f97b29915cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\83b58bd1-4ea9-480a-81e2-af4bba57cf28.vbs
Filesize
714B

MD5
c39daff44d8df738082682011265dd25

SHA1
4cfbf0ce68a8719a23f4e97bba69c2b792d256e7

SHA256
fef3bbeb32208fae5d2fc6371c1b657857e93c42aa5b5cb1d2d0c8b16539759d

SHA512
c7304f14271b77a5cabe3ccf6dccfc7ec7674dc3a94ebeb580ad7b7065ad39df9925dd7b8a26a6977dc56843c2ca44a9706353cd37fc08d3912e88da0f0bd91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C56.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C56.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C56.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99F3.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99F3.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp99F3.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Windows\Prefetch\ReadyBoot\Idle.exe
Filesize
6.4MB

MD5
a2ce6b8cc1683e6f1b0e4a8ad210b4d0

SHA1
c8bf69219d2fb1b6280425e58465493b0dfab0ae

SHA256
182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3

SHA512
4f24e9fc230d3ab5c4ac19798a7c058f2e713400dde817b1082ffdd5f284e23cb0257a7a732bcacaf4867189f21f3484a9a1fd9cb63c446db549dfed7748b070

Download Submit
C:\Windows\Prefetch\ReadyBoot\Idle.exe
Filesize
6.4MB

MD5
a2ce6b8cc1683e6f1b0e4a8ad210b4d0

SHA1
c8bf69219d2fb1b6280425e58465493b0dfab0ae

SHA256
182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3

SHA512
4f24e9fc230d3ab5c4ac19798a7c058f2e713400dde817b1082ffdd5f284e23cb0257a7a732bcacaf4867189f21f3484a9a1fd9cb63c446db549dfed7748b070

Download Submit
memory/808-155-0x0000000000000000-mapping.dmp

Download
memory/1724-144-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/1724-136-0x0000000000000000-mapping.dmp

Download
memory/1724-159-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4012-145-0x0000000000000000-mapping.dmp

Download
memory/4012-146-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4012-148-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4116-143-0x0000000000FA1000-0x0000000000FA4000-memory.dmp

Filesize
12KB

Download
memory/4116-139-0x0000000000000000-mapping.dmp

Download
memory/4200-152-0x0000000000000000-mapping.dmp

Download
memory/4304-132-0x00000000001F0000-0x0000000000856000-memory.dmp

Filesize
6.4MB

Download
memory/4304-141-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4304-135-0x000000001D1A0000-0x000000001D6C8000-memory.dmp

Filesize
5.2MB

Download
memory/4304-134-0x000000001B4E0000-0x000000001B530000-memory.dmp

Filesize
320KB

Download
memory/4304-133-0x00007FF833AC0000-0x00007FF834581000-memory.dmp

Filesize
10.8MB

Download
memory/4464-156-0x0000000000000000-mapping.dmp

Download
memory/4880-149-0x0000000000000000-mapping.dmp

Download