d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c

Resubmissions

28-10-2022 06:14

221028-gzepmafagn 10

13-10-2022 09:36

221013-lkxdcabga8 10

Analysis

max time kernel
108s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yan1.exe
Size

398KB
MD5

afaf2d4ebb6dc47e79a955df5ad1fc8a
SHA1

c418ce055d97928f94ba06b5de8124a601d8f632
SHA256

d11793433065633b84567de403c1989640a07c9a399dd2753aaf118891ce791c
SHA512

321424ac21ebdb7f759a84236cb95c533b3000b3143099e1697f4a1f534c11782dafa68e5fa9e662b973b9669c1177b69c2fd0b83455625e57aa123385f581e6
SSDEEP

12288:EfaLQyGK6kAa2XgsA1RUa+jE6S3qRTjO0:EwIHnXp/O0

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1496 powershell.exe

pid	process
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

yan1.exepowershell.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1132	yan1.exe
Token: SeTakeOwnershipPrivilege	1132	yan1.exe
Token: SeTakeOwnershipPrivilege	1132	yan1.exe
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

yan1.execmd.exe

description	pid	process	target process
PID 1132 wrote to memory of 1492	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1492	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1492	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1492	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1452	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1452	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1452	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1452	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 856	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 856	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 856	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 856	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 876	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 876	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 876	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 876	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1648	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1648	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1648	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1648	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1076	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1076	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1076	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1076	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1488	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1488	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1488	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1488	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 240	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 240	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 240	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 240	1132	yan1.exe	cmd.exe
PID 1492 wrote to memory of 1496	1492	cmd.exe	powershell.exe
PID 1492 wrote to memory of 1496	1492	cmd.exe	powershell.exe
PID 1492 wrote to memory of 1496	1492	cmd.exe	powershell.exe
PID 1492 wrote to memory of 1496	1492	cmd.exe	powershell.exe
PID 1132 wrote to memory of 300	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 300	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 300	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 300	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1692	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1692	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1692	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1692	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1356	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1356	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1356	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1356	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1824	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1824	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1824	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1824	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 860	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 860	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 860	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 860	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1744	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1744	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1744	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 1744	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 484	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 484	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 484	1132	yan1.exe	cmd.exe
PID 1132 wrote to memory of 484	1132	yan1.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\yan1.exe
C:\Users\Admin\AppData\Local\Temp\yan1.exe -pass D86BDXL9N3H
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -command "Get-VM | Stop-VM -Force"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "Get-VM | Stop-VM -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper100
  2⤵
  PID:1452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSSQL$ISARS
  2⤵
  PID:856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSSQL$MSFW
  2⤵
  PID:876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SQLAgent$ISARS
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SQLAgent$MSFW
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SQLBrowser
  2⤵
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop ReportServer$ISARS
  2⤵
  PID:240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SQLWriter
  2⤵
  PID:300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop WinDefend
  2⤵
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop mr2kserv
  2⤵
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSExchangeADTopology
  2⤵
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSExchangeFBA
  2⤵
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSExchangeIS
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSExchangeSA
  2⤵
  PID:484
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop ShadowProtectSvc
  2⤵
  PID:800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SPAdminV4
  2⤵
  PID:820
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SPTimerV4
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SPTraceV4
  2⤵
  PID:304
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SPUserCodeV4
  2⤵
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SPWriterV4
  2⤵
  PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop SPSearch4
  2⤵
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop MSSQLServerADHelper100
  2⤵
  PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop IISADMIN
  2⤵
  PID:1244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop firebirdguardiandefaultinstance
  2⤵
  PID:572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop ibmiasrw
  2⤵
  PID:996
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QBCFMonitorService
  2⤵
  PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QBVSS
  2⤵
  PID:596
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QBPOSDBServiceV12
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop "IBM Domino Server (CProgramFilesIBMDominodata)"
  2⤵
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop "IBM Domino Diagnostics (CProgramFilesIBMDomino)"
  2⤵
  PID:1252
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop IISADMIN
  2⤵
  PID:2056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop "Simply Accounting Database Connection Manager"
  2⤵
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB1
  2⤵
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB2
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB3
  2⤵
  PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB4
  2⤵
  PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB5
  2⤵
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB6
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB7
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB8
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB9
  2⤵
  PID:2344
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB10
  2⤵
  PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB11
  2⤵
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB12
  2⤵
  PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB13
  2⤵
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB14
  2⤵
  PID:2472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB15
  2⤵
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB16
  2⤵
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB17
  2⤵
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB18
  2⤵
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB19
  2⤵
  PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB20
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB21
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB22
  2⤵
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB23
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB24
  2⤵
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" net stop QuickBooksDB25
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im mysql*
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im dsa*
  2⤵
  PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im veeam*
  2⤵
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im chrome*
  2⤵
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im iexplore*
  2⤵
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im firefox*
  2⤵
  PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im outlook*
  2⤵
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im excel*
  2⤵
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im outlook*
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im taskmgr*
  2⤵
  PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im tasklist*
  2⤵
  PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im Ntrtscan*
  2⤵
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im ds_monitor*
  2⤵
  PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im Notifier*
  2⤵
  PID:3056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im putty*
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im ssh*
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im TmListen*
  2⤵
  PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im iVPAgent*
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im CNTAoSMgr*
  2⤵
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im IBM*
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im bes10*
  2⤵
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im black*
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im robo*
  2⤵
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im copy*
  2⤵
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im sql
  2⤵
  PID:2524
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im store.exe
  2⤵
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im sql*
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im vee*
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im wrsa*
  2⤵
  PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im wrsa.exe
  2⤵
  PID:3080
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im postg*
  2⤵
  PID:3088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" taskkill /f /im sage*
  2⤵
  PID:3096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-62-0x0000000000000000-mapping.dmp

Download
memory/300-65-0x0000000000000000-mapping.dmp

Download
memory/304-75-0x0000000000000000-mapping.dmp

Download
memory/484-71-0x0000000000000000-mapping.dmp

Download
memory/572-81-0x0000000000000000-mapping.dmp

Download
memory/596-84-0x0000000000000000-mapping.dmp

Download
memory/680-85-0x0000000000000000-mapping.dmp

Download
memory/792-78-0x0000000000000000-mapping.dmp

Download
memory/800-72-0x0000000000000000-mapping.dmp

Download
memory/820-73-0x0000000000000000-mapping.dmp

Download
memory/856-57-0x0000000000000000-mapping.dmp

Download
memory/860-69-0x0000000000000000-mapping.dmp

Download
memory/876-58-0x0000000000000000-mapping.dmp

Download
memory/948-86-0x0000000000000000-mapping.dmp

Download
memory/996-82-0x0000000000000000-mapping.dmp

Download
memory/1064-79-0x0000000000000000-mapping.dmp

Download
memory/1076-60-0x0000000000000000-mapping.dmp

Download
memory/1132-54-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1244-80-0x0000000000000000-mapping.dmp

Download
memory/1252-87-0x0000000000000000-mapping.dmp

Download
memory/1272-77-0x0000000000000000-mapping.dmp

Download
memory/1332-74-0x0000000000000000-mapping.dmp

Download
memory/1356-67-0x0000000000000000-mapping.dmp

Download
memory/1452-56-0x0000000000000000-mapping.dmp

Download
memory/1488-61-0x0000000000000000-mapping.dmp

Download
memory/1492-55-0x0000000000000000-mapping.dmp

Download
memory/1496-121-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-120-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-63-0x0000000000000000-mapping.dmp

Download
memory/1520-76-0x0000000000000000-mapping.dmp

Download
memory/1576-83-0x0000000000000000-mapping.dmp

Download
memory/1648-59-0x0000000000000000-mapping.dmp

Download
memory/1692-66-0x0000000000000000-mapping.dmp

Download
memory/1744-70-0x0000000000000000-mapping.dmp

Download
memory/1824-68-0x0000000000000000-mapping.dmp

Download
memory/2056-88-0x0000000000000000-mapping.dmp

Download
memory/2076-89-0x0000000000000000-mapping.dmp

Download
memory/2096-90-0x0000000000000000-mapping.dmp

Download
memory/2116-91-0x0000000000000000-mapping.dmp

Download
memory/2168-92-0x0000000000000000-mapping.dmp

Download
memory/2188-93-0x0000000000000000-mapping.dmp

Download
memory/2208-94-0x0000000000000000-mapping.dmp

Download
memory/2224-95-0x0000000000000000-mapping.dmp

Download
memory/2248-96-0x0000000000000000-mapping.dmp

Download
memory/2280-97-0x0000000000000000-mapping.dmp

Download
memory/2344-98-0x0000000000000000-mapping.dmp

Download
memory/2368-99-0x0000000000000000-mapping.dmp

Download
memory/2408-100-0x0000000000000000-mapping.dmp

Download
memory/2432-101-0x0000000000000000-mapping.dmp

Download
memory/2452-102-0x0000000000000000-mapping.dmp

Download
memory/2472-103-0x0000000000000000-mapping.dmp

Download
memory/2492-104-0x0000000000000000-mapping.dmp

Download
memory/2508-105-0x0000000000000000-mapping.dmp

Download
memory/2568-106-0x0000000000000000-mapping.dmp

Download
memory/2592-107-0x0000000000000000-mapping.dmp

Download
memory/2620-108-0x0000000000000000-mapping.dmp

Download
memory/2640-109-0x0000000000000000-mapping.dmp

Download
memory/2680-110-0x0000000000000000-mapping.dmp

Download
memory/2728-111-0x0000000000000000-mapping.dmp

Download
memory/2748-112-0x0000000000000000-mapping.dmp

Download
memory/2768-113-0x0000000000000000-mapping.dmp

Download
memory/2788-114-0x0000000000000000-mapping.dmp

Download
memory/2800-115-0x0000000000000000-mapping.dmp

Download
memory/2856-116-0x0000000000000000-mapping.dmp

Download
memory/2876-117-0x0000000000000000-mapping.dmp

Download
memory/2896-118-0x0000000000000000-mapping.dmp

Download
memory/2916-119-0x0000000000000000-mapping.dmp

Download