bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e

Analysis

max time kernel
161s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Size

362KB
MD5

5eb62ff48048584ae1a29d6a4698ccae
SHA1

a78bb9335164d216ab7bcdce5a7d9040d323c598
SHA256

bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e
SHA512

c1e0f9624b3485e68478c44e1dec888c7d9980c76a0676bbc47b56c200725417ad0c4a58a0da1b9db5529d9cc165807ec323955dea0090ffb76dea0873393579
SSDEEP

6144:C3rcIG98IZou0XYDd0mfFhTESz5kTM2pnOhwXHrhBBon6hP6d998o8tl/6e:y/uEYDNfPBzI7OhK9o6hP6d9F8r/

Score

8^/10

discovery evasion persistence trojan upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdpi = "C:\\Windows\\SysWOW64\\formatv.exe"	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe

Executes dropped EXE 1 IoCs

pid	Process
4484	formatv.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1880-132-0x0000000002150000-0x00000000021ED000-memory.dmp	upx
behavioral2/memory/1880-135-0x0000000002150000-0x00000000021ED000-memory.dmp	upx
behavioral2/memory/1880-136-0x0000000002150000-0x00000000021ED000-memory.dmp	upx
behavioral2/memory/1880-137-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/files/0x000400000001e753-143.dat	upx
behavioral2/files/0x000400000001e753-142.dat	upx
behavioral2/memory/4484-145-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/4484-147-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\formatv.exe	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
File created	C:\Windows\SysWOW64\formatv.exe	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
1720	msedge.exe
1720	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe
3828	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeDebugPrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
Token: SeImpersonatePrivilege	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3828	msedge.exe
3828	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4484	formatv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 4484	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe	94
PID 1880 wrote to memory of 4484	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe	94
PID 1880 wrote to memory of 4484	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe	94
PID 1880 wrote to memory of 4960	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe	96
PID 1880 wrote to memory of 4960	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe	96
PID 1880 wrote to memory of 4960	1880	bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe	96
PID 4484 wrote to memory of 3828	4484	formatv.exe	98
PID 4484 wrote to memory of 3828	4484	formatv.exe	98
PID 3828 wrote to memory of 312	3828	msedge.exe	99
PID 3828 wrote to memory of 312	3828	msedge.exe	99
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 4100	3828	msedge.exe	103
PID 3828 wrote to memory of 1720	3828	msedge.exe	106
PID 3828 wrote to memory of 1720	3828	msedge.exe	106
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107
PID 3828 wrote to memory of 3588	3828	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe
"C:\Users\Admin\AppData\Local\Temp\bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe"
1⤵
- Adds policy Run key to start application
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\formatv.exe
  C:\Windows\SysWOW64\formatv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.alpha00001.com/cgi-bin/advert/getads?did=1077
    3⤵
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa49ba46f8,0x7ffa49ba4708,0x7ffa49ba4718
      4⤵
      PID:312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3016 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
      4⤵
      PID:3588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
      4⤵
      PID:4196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
      4⤵
      PID:1724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 /prefetch:8
      4⤵
      PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
      4⤵
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6688838417644589870,10399078167211483355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
      4⤵
      PID:3212
- C:\Windows\SysWOW64\cmd.exe
  /c C:\Users\Admin\AppData\Local\Temp\~unins4095.bat "C:\Users\Admin\AppData\Local\Temp\bebee881d6161401027222dc4b2557ab1187a74a8fe5c906b134beda59cb0c2e.exe"
  2⤵
  PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\formatv.exe

Filesize
137KB

MD5
13d8f8bd021645fbc0d1852f1a038348

SHA1
a9492a1e93b295c3d17e18991f5e46c06492c624

SHA256
ef79a0ae9aea6b74d3002b9a6fdc9acf861666cfcc9795adda2e6fd72dbc845e

SHA512
9f9b80f46f8b518c0c3ff73541c84b4068bd6ca344dcdc32f64d1e6d790938984172228bb36485c6bd1f56faeec8fb0523767d84121374fba9278160b9677251

Download Submit
C:\Windows\SysWOW64\formatv.exe

Filesize
137KB

MD5
13d8f8bd021645fbc0d1852f1a038348

SHA1
a9492a1e93b295c3d17e18991f5e46c06492c624

SHA256
ef79a0ae9aea6b74d3002b9a6fdc9acf861666cfcc9795adda2e6fd72dbc845e

SHA512
9f9b80f46f8b518c0c3ff73541c84b4068bd6ca344dcdc32f64d1e6d790938984172228bb36485c6bd1f56faeec8fb0523767d84121374fba9278160b9677251

Download Submit
memory/312-148-0x0000000000000000-mapping.dmp

Download
memory/1720-151-0x0000000000000000-mapping.dmp

Download
memory/1724-158-0x0000000000000000-mapping.dmp

Download
memory/1880-137-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1880-140-0x0000000002151000-0x00000000021AF000-memory.dmp

Filesize
376KB

Download
memory/1880-139-0x00000000021AF000-0x00000000021EC000-memory.dmp

Filesize
244KB

Download
memory/1880-138-0x0000000000620000-0x000000000065E000-memory.dmp

Filesize
248KB

Download
memory/1880-132-0x0000000002150000-0x00000000021ED000-memory.dmp

Filesize
628KB

Download
memory/1880-136-0x0000000002150000-0x00000000021ED000-memory.dmp

Filesize
628KB

Download
memory/1880-135-0x0000000002150000-0x00000000021ED000-memory.dmp

Filesize
628KB

Download
memory/3212-164-0x0000000000000000-mapping.dmp

Download
memory/3588-154-0x0000000000000000-mapping.dmp

Download
memory/3680-160-0x0000000000000000-mapping.dmp

Download
memory/3828-146-0x0000000000000000-mapping.dmp

Download
memory/4100-150-0x0000000000000000-mapping.dmp

Download
memory/4196-156-0x0000000000000000-mapping.dmp

Download
memory/4484-147-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4484-145-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4484-141-0x0000000000000000-mapping.dmp

Download
memory/4840-162-0x0000000000000000-mapping.dmp

Download
memory/4960-144-0x0000000000000000-mapping.dmp

Download