1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e

Analysis

max time kernel
163s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
Size

1.3MB
MD5

8a6a9dd67063c9098447da6fa53a1f13
SHA1

36238cb4ea92b462707328ad5dc72a495007534b
SHA256

1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e
SHA512

6d1b078bf9e61ac73b79c03a1cfce776f9a6b2a9e1a7be81230846da4e879d0c9cbcc562e98985a12da4ee3825e10094b457d02de3d469aa9bd2ed0e82b0c143
SSDEEP

24576:K7Ls6itoOW2mLc3cvu7jWk7cj8L5SiS+AmxAvkGuAsQCi+2GmR2ka:KXGFLmLc34cJL5NfAxTnsQCKBUka

Score

10^/10

agilenet evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hknswc.exe

Executes dropped EXE 3 IoCs

pid	Process
4228	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4912	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AppMgnt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AppMgnt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	hknswc.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/files/0x0008000000022e17-143.dat	agile_net
behavioral2/files/0x0008000000022e17-144.dat	agile_net

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	myip.dnsomatic.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4484 set thread context of 4092	4484	hknswc.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2284	schtasks.exe
4188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
4228	AppMgnt.exe
4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe
3232	AppMgnt.exe
4484	hknswc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
Token: SeDebugPrivilege	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
Token: SeDebugPrivilege	4228	AppMgnt.exe
Token: SeDebugPrivilege	4484	hknswc.exe
Token: SeDebugPrivilege	4484	hknswc.exe
Token: SeDebugPrivilege	3232	AppMgnt.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 3488	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	81
PID 4568 wrote to memory of 4228	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	82
PID 4568 wrote to memory of 4228	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	82
PID 4568 wrote to memory of 4228	4568	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe	82
PID 4228 wrote to memory of 4484	4228	AppMgnt.exe	83
PID 4228 wrote to memory of 4484	4228	AppMgnt.exe	83
PID 4228 wrote to memory of 4484	4228	AppMgnt.exe	83
PID 4228 wrote to memory of 2284	4228	AppMgnt.exe	84
PID 4228 wrote to memory of 2284	4228	AppMgnt.exe	84
PID 4228 wrote to memory of 2284	4228	AppMgnt.exe	84
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 4092	4484	hknswc.exe	86
PID 4484 wrote to memory of 3232	4484	hknswc.exe	87
PID 4484 wrote to memory of 3232	4484	hknswc.exe	87
PID 4484 wrote to memory of 3232	4484	hknswc.exe	87
PID 3232 wrote to memory of 4188	3232	AppMgnt.exe	88
PID 3232 wrote to memory of 4188	3232	AppMgnt.exe	88
PID 3232 wrote to memory of 4188	3232	AppMgnt.exe	88
PID 3488 wrote to memory of 3376	3488	vbc.exe	90
PID 3488 wrote to memory of 3376	3488	vbc.exe	90
PID 3488 wrote to memory of 3376	3488	vbc.exe	90
PID 3376 wrote to memory of 3872	3376	WScript.exe	91
PID 3376 wrote to memory of 3872	3376	WScript.exe	91
PID 3376 wrote to memory of 3872	3376	WScript.exe	91
PID 3872 wrote to memory of 4912	3872	cmd.exe	93
PID 3872 wrote to memory of 4912	3872	cmd.exe	93
PID 3872 wrote to memory of 4912	3872	cmd.exe	93

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	hknswc.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4912	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe
"C:\Users\Admin\AppData\Local\Temp\1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4568
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.vbs"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\RealNetowrks
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4912
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
      4⤵
      PID:4092
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4188
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Create /SC ONLOGON /TN PolicyManager /TR C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\AppMgnt.exe.log

Filesize
224B

MD5
9c4b66f77f12558c48b620ddfb44029d

SHA1
446651db643b943ec37b9b3599655e211a4bc73e

SHA256
42f723d18283fda6a0904046cc29ee8d10e562d20c7615259a46ae9c0e4c9708

SHA512
983aed0ec15a79b716ac6dc080146e4ed098c117c31167053fb5971649dc621d1db5292fdd76f3010f094b75d57ea0bdb35bc829c6ba37e4d276b266361dee8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
8KB

MD5
07870aab1c5ab63cfeaa3c396ebaac51

SHA1
b3789bc78eb3345af6899f331aded871bd4a27e9

SHA256
feae74003448e0a27cd5e1e9087f54c8a558ad2ae2ce3d04382860ef19081323

SHA512
ae96ab7119784132a6e9fd49312a6ffe53b89504fea72d7618f143b0b432c08f1cc6836367af0fd878873d4ffc8b4356d6f66eea2007cdefba90ff1202d5e7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
8KB

MD5
07870aab1c5ab63cfeaa3c396ebaac51

SHA1
b3789bc78eb3345af6899f331aded871bd4a27e9

SHA256
feae74003448e0a27cd5e1e9087f54c8a558ad2ae2ce3d04382860ef19081323

SHA512
ae96ab7119784132a6e9fd49312a6ffe53b89504fea72d7618f143b0b432c08f1cc6836367af0fd878873d4ffc8b4356d6f66eea2007cdefba90ff1202d5e7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
8KB

MD5
07870aab1c5ab63cfeaa3c396ebaac51

SHA1
b3789bc78eb3345af6899f331aded871bd4a27e9

SHA256
feae74003448e0a27cd5e1e9087f54c8a558ad2ae2ce3d04382860ef19081323

SHA512
ae96ab7119784132a6e9fd49312a6ffe53b89504fea72d7618f143b0b432c08f1cc6836367af0fd878873d4ffc8b4356d6f66eea2007cdefba90ff1202d5e7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgnt.exe

Filesize
8KB

MD5
07870aab1c5ab63cfeaa3c396ebaac51

SHA1
b3789bc78eb3345af6899f331aded871bd4a27e9

SHA256
feae74003448e0a27cd5e1e9087f54c8a558ad2ae2ce3d04382860ef19081323

SHA512
ae96ab7119784132a6e9fd49312a6ffe53b89504fea72d7618f143b0b432c08f1cc6836367af0fd878873d4ffc8b4356d6f66eea2007cdefba90ff1202d5e7f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
1.3MB

MD5
8a6a9dd67063c9098447da6fa53a1f13

SHA1
36238cb4ea92b462707328ad5dc72a495007534b

SHA256
1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e

SHA512
6d1b078bf9e61ac73b79c03a1cfce776f9a6b2a9e1a7be81230846da4e879d0c9cbcc562e98985a12da4ee3825e10094b457d02de3d469aa9bd2ed0e82b0c143

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hknswc.exe

Filesize
1.3MB

MD5
8a6a9dd67063c9098447da6fa53a1f13

SHA1
36238cb4ea92b462707328ad5dc72a495007534b

SHA256
1fe6260c3d2de26599b72c225bf430352e4a2f83371c37eb19dbb9d4e091df3e

SHA512
6d1b078bf9e61ac73b79c03a1cfce776f9a6b2a9e1a7be81230846da4e879d0c9cbcc562e98985a12da4ee3825e10094b457d02de3d469aa9bd2ed0e82b0c143

Download Submit
C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.bat

Filesize
56B

MD5
4a55a5a5ca857637659220aeb1a91d92

SHA1
4c73b21f348ed194dec47bcb0c3a83071be864e8

SHA256
0aa9d5a6e2d224e57d44bd4267c6d98479e25b052c878e579cc5d2facbcc601f

SHA512
d7ea2948e2c5f60675c08d6a8308cd7c449e1efaef818a24bf0481b8f5a45412a04b5fd580035127bcd052cc754fb948dc947989528ee9a52ce64457ab2eac51

Download Submit
C:\Users\Admin\AppData\Roaming\RealNetowrks\Hide_Folder_1.vbs

Filesize
169B

MD5
3d987aec0fa7269c334d9d52676f7ae6

SHA1
c912e179bfcad6b0d10061cfe4eb84bfa069a5f5

SHA256
757a187de0343591d7d49a2fa71ef8a8f8325f61df8f2bff905c36d599bdd549

SHA512
8ff828024cfdb0db4bc0474ce4b5f00e691c0d9c4193ebd67bb57b4ba7907690e688c6c0a78863a8ece6e244ef21e89c0aa1b7f073146fad0a2b0e59beb58e63

Download Submit
memory/2284-145-0x0000000000000000-mapping.dmp

Download
memory/3232-160-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/3232-163-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/3232-155-0x0000000000000000-mapping.dmp

Download
memory/3376-164-0x0000000000000000-mapping.dmp

Download
memory/3488-141-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3488-137-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3488-134-0x0000000000000000-mapping.dmp

Download
memory/3488-135-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3488-136-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3488-161-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/3872-167-0x0000000000000000-mapping.dmp

Download
memory/4092-153-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4092-150-0x0000000000000000-mapping.dmp

Download
memory/4092-152-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4092-154-0x0000000000400000-0x000000000048F000-memory.dmp

Filesize
572KB

Download
memory/4188-159-0x0000000000000000-mapping.dmp

Download
memory/4228-138-0x0000000000000000-mapping.dmp

Download
memory/4228-146-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4228-149-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4484-147-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4484-162-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4484-142-0x0000000000000000-mapping.dmp

Download
memory/4568-132-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4568-133-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4568-148-0x0000000074AC0000-0x0000000075071000-memory.dmp

Filesize
5.7MB

Download
memory/4912-168-0x0000000000000000-mapping.dmp

Download