tofsee | c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a

Analysis

max time kernel
154s
max time network
155s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-12-2022 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe
Size

277KB
MD5

f45d7484b380f381a87585575c7db43a
SHA1

bf539ad755fe1524219d2c4ea59ab7f141b812ba
SHA256

c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a
SHA512

4f818cec22ded75b20128891c7e5c6242cbb6e2da89e2909ffbef7257be894b0339389ad8d2fa451bfbf617e56a1dcab1c8c1ceeb01ca551b3d5ab2c4a5c597d
SSDEEP

6144:r+MLF21xnMnD4j/A2AO8E4rOKnuRjMgU:rJx27MD4jZU/uRQg

Score

10^/10

tofsee evasion persistence trojan

Malware Config

Extracted

Family

tofsee

svartalfheim.top

jotunheim.name

Signatures

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\zkmotbgv = "0"	svchost.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 2 IoCs

Processes:

qwodibs.exelebjatnk.exe

pid process

4548 qwodibs.exe
2176 lebjatnk.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

3148 netsh.exe
3708 netsh.exe

pid	process
4548	qwodibs.exe
2176	lebjatnk.exe

pid	process
3148	netsh.exe
3708	netsh.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zkmotbgv\ImagePath = "C:\\Windows\\SysWOW64\\zkmotbgv\\lebjatnk.exe"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\whjlqyds = "\"C:\\Users\\Admin\\qwodibs.exe\""	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

lebjatnk.exe

description pid process target process

PID 2176 set thread context of 4720 2176 lebjatnk.exe svchost.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1956 sc.exe
3360 sc.exe
4284 sc.exe
1556 sc.exe
3276 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 2176 set thread context of 4720	2176	lebjatnk.exe	svchost.exe

pid	process
1956	sc.exe
3360	sc.exe
4284	sc.exe
1556	sc.exe
3276	sc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exeqwodibs.exelebjatnk.exe

description	pid	process	target process
PID 4056 wrote to memory of 3612	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	cmd.exe
PID 4056 wrote to memory of 3612	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	cmd.exe
PID 4056 wrote to memory of 3612	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	cmd.exe
PID 4056 wrote to memory of 4572	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	cmd.exe
PID 4056 wrote to memory of 4572	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	cmd.exe
PID 4056 wrote to memory of 4572	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	cmd.exe
PID 4056 wrote to memory of 1956	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 1956	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 1956	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 3360	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 3360	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 3360	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 4284	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 4284	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 4284	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	sc.exe
PID 4056 wrote to memory of 3148	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	netsh.exe
PID 4056 wrote to memory of 3148	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	netsh.exe
PID 4056 wrote to memory of 3148	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	netsh.exe
PID 4056 wrote to memory of 4548	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	qwodibs.exe
PID 4056 wrote to memory of 4548	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	qwodibs.exe
PID 4056 wrote to memory of 4548	4056	c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe	qwodibs.exe
PID 4548 wrote to memory of 64	4548	qwodibs.exe	cmd.exe
PID 4548 wrote to memory of 64	4548	qwodibs.exe	cmd.exe
PID 4548 wrote to memory of 64	4548	qwodibs.exe	cmd.exe
PID 4548 wrote to memory of 1556	4548	qwodibs.exe	sc.exe
PID 4548 wrote to memory of 1556	4548	qwodibs.exe	sc.exe
PID 4548 wrote to memory of 1556	4548	qwodibs.exe	sc.exe
PID 4548 wrote to memory of 3276	4548	qwodibs.exe	sc.exe
PID 4548 wrote to memory of 3276	4548	qwodibs.exe	sc.exe
PID 4548 wrote to memory of 3276	4548	qwodibs.exe	sc.exe
PID 4548 wrote to memory of 3708	4548	qwodibs.exe	netsh.exe
PID 4548 wrote to memory of 3708	4548	qwodibs.exe	netsh.exe
PID 4548 wrote to memory of 3708	4548	qwodibs.exe	netsh.exe
PID 2176 wrote to memory of 4720	2176	lebjatnk.exe	svchost.exe
PID 2176 wrote to memory of 4720	2176	lebjatnk.exe	svchost.exe
PID 2176 wrote to memory of 4720	2176	lebjatnk.exe	svchost.exe
PID 2176 wrote to memory of 4720	2176	lebjatnk.exe	svchost.exe
PID 2176 wrote to memory of 4720	2176	lebjatnk.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe
"C:\Users\Admin\AppData\Local\Temp\c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zkmotbgv\
2⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vleczipo.exe" C:\Windows\SysWOW64\zkmotbgv\
2⤵
PID:4572

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create zkmotbgv binPath= "C:\Windows\SysWOW64\zkmotbgv\vleczipo.exe /d\"C:\Users\Admin\AppData\Local\Temp\c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
- Launches sc.exe
PID:1956

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description zkmotbgv "wifi internet conection"
2⤵
- Launches sc.exe
PID:3360

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start zkmotbgv
2⤵
- Launches sc.exe
PID:4284

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
- Modifies Windows Firewall
PID:3148

C:\Users\Admin\qwodibs.exe
"C:\Users\Admin\qwodibs.exe" /d"C:\Users\Admin\AppData\Local\Temp\c8d141b0d0a157275bb4505cfe3fef75ef9d08f0738299a49be28a0329681f1a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lebjatnk.exe" C:\Windows\SysWOW64\zkmotbgv\
3⤵
PID:64

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config zkmotbgv binPath= "C:\Windows\SysWOW64\zkmotbgv\lebjatnk.exe /d\"C:\Users\Admin\qwodibs.exe\""
3⤵
- Launches sc.exe
PID:1556

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start zkmotbgv
3⤵
- Launches sc.exe
PID:3276

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
3⤵
- Modifies Windows Firewall
PID:3708

C:\Windows\SysWOW64\zkmotbgv\lebjatnk.exe
C:\Windows\SysWOW64\zkmotbgv\lebjatnk.exe /d"C:\Users\Admin\qwodibs.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Windows security bypass
- Sets service image path in registry
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

New Service

T1050

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lebjatnk.exe
Filesize
11.8MB

MD5
3ef91acaedfa8f7dee40f4315bd17c01

SHA1
4840e11d5583cd1cef672fb5fab549ec97de8620

SHA256
ad811108561925d5811171d276acf2ac14950e4a17c0210c519f1e689b1a4df9

SHA512
2b8c2fae2deed16e725ca6224e81ba68f3842cf1c79b4cb3f5eb92d6eb87f39ee5313566a3ae2b949f392f52437817949a4ba3718b8ddda23272324f575751d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vleczipo.exe
Filesize
10.6MB

MD5
8d8f569419ee84ec761e1f45b3b8d961

SHA1
3fb9bf5adfb5c3c0673c3f74682ecad8ff88193d

SHA256
4f4efd85f61d70dfbef2517bc6506a525f58b871afa4b93ced135ea5221a202e

SHA512
e816c35e0c01e3b1bd9f264a0ab3711e13aaf891cb99e8f155ae1ac6ffadb0e78171488700c056f66402423e78a28288a1055d48a9972f948100d401719a5724

Download Submit
C:\Users\Admin\qwodibs.exe
Filesize
14.7MB

MD5
f045ac4850383652ed881497509eef68

SHA1
3c542fe1b4986c87e90745a3e444864e0b2e132f

SHA256
cfcd4ad8d4f9523242441c5c14eed6e124301292e8643b081778600e69c248fd

SHA512
566cfaff4d62c6e43915aad25ead9cbe565bb4652e172723949f3f0748c0942d8db4c65582a277eba03bae34adcaeed376d2390df347d4489ac9c4fed82b62f2

Download Submit
C:\Users\Admin\qwodibs.exe
Filesize
14.7MB

MD5
f045ac4850383652ed881497509eef68

SHA1
3c542fe1b4986c87e90745a3e444864e0b2e132f

SHA256
cfcd4ad8d4f9523242441c5c14eed6e124301292e8643b081778600e69c248fd

SHA512
566cfaff4d62c6e43915aad25ead9cbe565bb4652e172723949f3f0748c0942d8db4c65582a277eba03bae34adcaeed376d2390df347d4489ac9c4fed82b62f2

Download Submit
C:\Windows\SysWOW64\zkmotbgv\lebjatnk.exe
Filesize
11.8MB

MD5
3ef91acaedfa8f7dee40f4315bd17c01

SHA1
4840e11d5583cd1cef672fb5fab549ec97de8620

SHA256
ad811108561925d5811171d276acf2ac14950e4a17c0210c519f1e689b1a4df9

SHA512
2b8c2fae2deed16e725ca6224e81ba68f3842cf1c79b4cb3f5eb92d6eb87f39ee5313566a3ae2b949f392f52437817949a4ba3718b8ddda23272324f575751d6

Download Submit
memory/64-357-0x0000000000000000-mapping.dmp

Download
memory/1556-374-0x0000000000000000-mapping.dmp

Download
memory/1956-185-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1956-177-0x0000000000000000-mapping.dmp

Download
memory/1956-180-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1956-181-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1956-182-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1956-183-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/1956-187-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/2176-604-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/2176-622-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3148-213-0x0000000000000000-mapping.dmp

Download
memory/3276-391-0x0000000000000000-mapping.dmp

Download
memory/3360-184-0x0000000000000000-mapping.dmp

Download
memory/3360-188-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3360-186-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3612-178-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3612-167-0x0000000000000000-mapping.dmp

Download
memory/3612-171-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3612-170-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3612-169-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3612-168-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/3708-412-0x0000000000000000-mapping.dmp

Download
memory/4056-142-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-137-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-148-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-149-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-150-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-151-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-152-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-153-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-154-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-155-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-156-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-157-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-158-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-159-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4056-160-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-161-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-162-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-163-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-164-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-165-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-166-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-146-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-145-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-144-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-143-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-118-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-119-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-120-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-121-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-122-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-123-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-141-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-140-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-139-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-124-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-138-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-147-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-136-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-135-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-134-0x0000000000450000-0x000000000059A000-memory.dmp

Filesize
1.3MB

Download
memory/4056-133-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-132-0x00000000006A3000-0x00000000006B9000-memory.dmp

Filesize
88KB

Download
memory/4056-131-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-125-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-130-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-129-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-233-0x00000000006A3000-0x00000000006B9000-memory.dmp

Filesize
88KB

Download
memory/4056-234-0x0000000000450000-0x000000000059A000-memory.dmp

Filesize
1.3MB

Download
memory/4056-126-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-128-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4056-248-0x00000000006A3000-0x00000000006B9000-memory.dmp

Filesize
88KB

Download
memory/4056-249-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4056-127-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4284-195-0x0000000000000000-mapping.dmp

Download
memory/4548-417-0x00000000005B3000-0x00000000005C9000-memory.dmp

Filesize
88KB

Download
memory/4548-306-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4548-356-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4548-304-0x00000000005B3000-0x00000000005C9000-memory.dmp

Filesize
88KB

Download
memory/4548-420-0x00000000001C0000-0x00000000001D3000-memory.dmp

Filesize
76KB

Download
memory/4548-423-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4548-244-0x0000000000000000-mapping.dmp

Download
memory/4572-175-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4572-179-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4572-176-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4572-174-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4572-173-0x00000000776D0000-0x000000007785E000-memory.dmp

Filesize
1.6MB

Download
memory/4572-172-0x0000000000000000-mapping.dmp

Download
memory/4720-618-0x0000000000879A6B-mapping.dmp

Download
memory/4720-700-0x0000000000870000-0x0000000000885000-memory.dmp

Filesize
84KB

Download
memory/4720-747-0x0000000000870000-0x0000000000885000-memory.dmp

Filesize
84KB

Download