blacknet | 97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9

Analysis

max time kernel
33s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c77e5db3244e658843f06ae2e61ad95f.exe
Size

133KB
MD5

c77e5db3244e658843f06ae2e61ad95f
SHA1

5bcf4c83cd1218db713c1be89369e368c6c0f115
SHA256

97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9
SHA512

0d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339
SSDEEP

3072:BI7KpEaKA2L22xYWVVz8pWzWpBZ7ubozFyTO1wbCl9fGJu:u7kKAhI8pWzWpB0boQMZGJ

Score

10^/10

blacknet ec evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Botnet

NriE0EakUiK+22Ai4N6Othh0De1s55kV0+sFoXChkQhcVCI2dUu3XGlBV5pu/x/cmJ/BByQIf9PqFghM2sWKP07Iz1Om2nFj+5Ad12ZaY4I9PtWNNix+MC57LiawhMvDUqvUZ0D9AMzT8Ml3Nn9NF/VG4jr2jwHli/295QeYGFGuN7RO/IqZPFblPfaRqq3BNeE7xgdHFMHJVcwvHA4s0oso3I6avTLaxL57NqpSPVJhEZ1yPk4qQWERPXxXoS+1Wp4lQUuVgRpkdjgjhF3IjONn1RIO+3lwJvDoUCLTzG1IxQGrYB+xHSLQ6jCzByfdvDqCc0Jpf0uylVa3q6zmPQ==

Mutex

BN[UfwxTUeC-7463479]

Attributes

antivm
false
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
cde2f914e4cce7f13b2c1cec7b6da970
startup
false
usb_spread
true

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

c77e5db3244e658843f06ae2e61ad95f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	c77e5db3244e658843f06ae2e61ad95f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	c77e5db3244e658843f06ae2e61ad95f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	c77e5db3244e658843f06ae2e61ad95f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	c77e5db3244e658843f06ae2e61ad95f.exe

Executes dropped EXE 2 IoCs

Processes:

WindowsUpdate.exesvchosts.exe

pid process

1976 WindowsUpdate.exe
1580 svchosts.exe

pid	process
1976	WindowsUpdate.exe
1580	svchosts.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

WindowsUpdate.exec77e5db3244e658843f06ae2e61ad95f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	WindowsUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	c77e5db3244e658843f06ae2e61ad95f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c77e5db3244e658843f06ae2e61ad95f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\cde2f914e4cce7f13b2c1cec7b6da970 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	c77e5db3244e658843f06ae2e61ad95f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1460 schtasks.exe

pid	process
1460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c77e5db3244e658843f06ae2e61ad95f.exe

pid	process
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe
1204	c77e5db3244e658843f06ae2e61ad95f.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c77e5db3244e658843f06ae2e61ad95f.exepowershell.exeWindowsUpdate.exepowershell.exesvchosts.exe

description	pid	process
Token: SeDebugPrivilege	1204	c77e5db3244e658843f06ae2e61ad95f.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1976	WindowsUpdate.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	1580	svchosts.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c77e5db3244e658843f06ae2e61ad95f.exeWindowsUpdate.exe

description	pid	process	target process
PID 1204 wrote to memory of 1420	1204	c77e5db3244e658843f06ae2e61ad95f.exe	powershell.exe
PID 1204 wrote to memory of 1420	1204	c77e5db3244e658843f06ae2e61ad95f.exe	powershell.exe
PID 1204 wrote to memory of 1420	1204	c77e5db3244e658843f06ae2e61ad95f.exe	powershell.exe
PID 1204 wrote to memory of 1976	1204	c77e5db3244e658843f06ae2e61ad95f.exe	WindowsUpdate.exe
PID 1204 wrote to memory of 1976	1204	c77e5db3244e658843f06ae2e61ad95f.exe	WindowsUpdate.exe
PID 1204 wrote to memory of 1976	1204	c77e5db3244e658843f06ae2e61ad95f.exe	WindowsUpdate.exe
PID 1976 wrote to memory of 1096	1976	WindowsUpdate.exe	powershell.exe
PID 1976 wrote to memory of 1096	1976	WindowsUpdate.exe	powershell.exe
PID 1976 wrote to memory of 1096	1976	WindowsUpdate.exe	powershell.exe
PID 1976 wrote to memory of 1460	1976	WindowsUpdate.exe	schtasks.exe
PID 1976 wrote to memory of 1460	1976	WindowsUpdate.exe	schtasks.exe
PID 1976 wrote to memory of 1460	1976	WindowsUpdate.exe	schtasks.exe
PID 1976 wrote to memory of 1580	1976	WindowsUpdate.exe	svchosts.exe
PID 1976 wrote to memory of 1580	1976	WindowsUpdate.exe	svchosts.exe
PID 1976 wrote to memory of 1580	1976	WindowsUpdate.exe	svchosts.exe

C:\Users\Admin\AppData\Local\Temp\c77e5db3244e658843f06ae2e61ad95f.exe
"C:\Users\Admin\AppData\Local\Temp\c77e5db3244e658843f06ae2e61ad95f.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONSTART /RL HIGHEST /tn "'WindowsUpdate"' /tr "'C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"'
3⤵
- Creates scheduled task(s)
PID:1460

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
133KB

MD5
c77e5db3244e658843f06ae2e61ad95f

SHA1
5bcf4c83cd1218db713c1be89369e368c6c0f115

SHA256
97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9

SHA512
0d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
133KB

MD5
c77e5db3244e658843f06ae2e61ad95f

SHA1
5bcf4c83cd1218db713c1be89369e368c6c0f115

SHA256
97ac2f7c9ff8e79aa217a8bac22bc9575cecb39bc87bcd753d428c56ea4899c9

SHA512
0d62eaaf493e840d4fe0c96cde1d8d1c76377789c1e99817426e39d16573a4a8de722d3c337a100e2a3c74bea7f1d89e5e494b0587b4c6114eb33b8b0c31d339

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
Filesize
18KB

MD5
d133d370c3858c9811e70f95d554d2c6

SHA1
bb09b1253ce571a49b76951283883a3499588295

SHA256
87a1711030512dd414bcbab0659a2b51c0c16505bd8a068a282a1cc2c9fdf93b

SHA512
db4d41fca43e496b2b0d8d47d936a9ce204e3b6c4c669a8a9810362776a977b5337359b843fcd1d20004455d2c91f9790b3accb5352f4e55ec53c7e5d359d778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
53e01bc80ab1865d027297465403242c

SHA1
98e08750a09523589690f114dc89f1525b74de4e

SHA256
6e45a4c2087535ee020ff5db3df7227812d493338101ad0ddcc062f49474a814

SHA512
be6b33f0ae7254ffd49275849c0a38dd2db74c9edf8b49b5de7814faff28c967a7f39f9d111c51624b1648eb60a6befa8dbc75b0b9463721f0d19a6653effcfc

Download Submit
memory/1096-87-0x0000000000000000-mapping.dmp

Download
memory/1096-105-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1096-104-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1096-103-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/1096-91-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/1096-94-0x000007FEECF30000-0x000007FEEDA8D000-memory.dmp

Filesize
11.4MB

Download
memory/1204-76-0x00000000021E7000-0x00000000021EF000-memory.dmp

Filesize
32KB

Download
memory/1204-79-0x000000001F5F0000-0x000000001F5F9000-memory.dmp

Filesize
36KB

Download
memory/1204-56-0x0000000002186000-0x00000000021A5000-memory.dmp

Filesize
124KB

Download
memory/1204-69-0x00000000021CB000-0x00000000021CF000-memory.dmp

Filesize
16KB

Download
memory/1204-70-0x00000000021CF000-0x00000000021D3000-memory.dmp

Filesize
16KB

Download
memory/1204-71-0x00000000021D3000-0x00000000021D7000-memory.dmp

Filesize
16KB

Download
memory/1204-72-0x00000000021D7000-0x00000000021DB000-memory.dmp

Filesize
16KB

Download
memory/1204-73-0x00000000021DB000-0x00000000021DF000-memory.dmp

Filesize
16KB

Download
memory/1204-74-0x00000000021DF000-0x00000000021E3000-memory.dmp

Filesize
16KB

Download
memory/1204-75-0x00000000021E3000-0x00000000021E7000-memory.dmp

Filesize
16KB

Download
memory/1204-54-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/1204-77-0x00000000021EF000-0x00000000021F7000-memory.dmp

Filesize
32KB

Download
memory/1204-78-0x00000000021F7000-0x0000000002200000-memory.dmp

Filesize
36KB

Download
memory/1204-65-0x0000000002186000-0x00000000021A5000-memory.dmp

Filesize
124KB

Download
memory/1204-80-0x000000001F5F9000-0x000000001F601000-memory.dmp

Filesize
32KB

Download
memory/1204-81-0x000000001F601000-0x000000001F609000-memory.dmp

Filesize
32KB

Download
memory/1204-82-0x000000001F609000-0x000000001F611000-memory.dmp

Filesize
32KB

Download
memory/1204-55-0x000007FEF2140000-0x000007FEF31D6000-memory.dmp

Filesize
16.6MB

Download
memory/1204-67-0x00000000021C7000-0x00000000021CB000-memory.dmp

Filesize
16KB

Download
memory/1420-84-0x000000001B720000-0x000000001BA1F000-memory.dmp

Filesize
3.0MB

Download
memory/1420-85-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1420-86-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/1420-66-0x000007FEEDA90000-0x000007FEEE5ED000-memory.dmp

Filesize
11.4MB

Download
memory/1420-58-0x000007FEFB651000-0x000007FEFB653000-memory.dmp

Filesize
8KB

Download
memory/1420-63-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/1420-68-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1420-57-0x0000000000000000-mapping.dmp

Download
memory/1460-90-0x0000000000000000-mapping.dmp

Download
memory/1580-97-0x0000000000000000-mapping.dmp

Download
memory/1580-114-0x0000000000A96000-0x0000000000AB5000-memory.dmp

Filesize
124KB

Download
memory/1580-102-0x000007FEF2140000-0x000007FEF31D6000-memory.dmp

Filesize
16.6MB

Download
memory/1580-101-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/1976-118-0x0000000000BBF000-0x0000000000BC5000-memory.dmp

Filesize
24KB

Download
memory/1976-93-0x0000000000BB5000-0x0000000000BBA000-memory.dmp

Filesize
20KB

Download
memory/1976-95-0x0000000000BDA000-0x0000000000BDD000-memory.dmp

Filesize
12KB

Download
memory/1976-119-0x0000000000BCD000-0x0000000000BD0000-memory.dmp

Filesize
12KB

Download
memory/1976-59-0x0000000000000000-mapping.dmp

Download
memory/1976-64-0x000007FEF2140000-0x000007FEF31D6000-memory.dmp

Filesize
16.6MB

Download
memory/1976-96-0x0000000000BB7000-0x0000000000BBA000-memory.dmp

Filesize
12KB

Download
memory/1976-83-0x0000000000B96000-0x0000000000BB5000-memory.dmp

Filesize
124KB

Download
memory/1976-106-0x0000000000BD1000-0x0000000000BD4000-memory.dmp

Filesize
12KB

Download
memory/1976-108-0x0000000000BCD000-0x0000000000BD0000-memory.dmp

Filesize
12KB

Download
memory/1976-62-0x000007FEF31E0000-0x000007FEF3C03000-memory.dmp

Filesize
10.1MB

Download
memory/1976-110-0x0000000000BB6000-0x0000000000BBA000-memory.dmp

Filesize
16KB

Download
memory/1976-120-0x0000000000BD6000-0x0000000000BDA000-memory.dmp

Filesize
16KB

Download
memory/1976-112-0x0000000000BE2000-0x0000000000BE6000-memory.dmp

Filesize
16KB

Download
memory/1976-113-0x0000000000BE6000-0x0000000000BEA000-memory.dmp

Filesize
16KB

Download
memory/1976-98-0x0000000000BB7000-0x0000000000BBA000-memory.dmp

Filesize
12KB

Download
memory/1976-107-0x0000000000BBD000-0x0000000000BC5000-memory.dmp

Filesize
32KB

Download
memory/1976-115-0x0000000000BB5000-0x0000000000BB8000-memory.dmp

Filesize
12KB

Download
memory/1976-116-0x0000000000BBB000-0x0000000000BC5000-memory.dmp

Filesize
40KB

Download
memory/1976-117-0x0000000000BDA000-0x0000000000BDD000-memory.dmp

Filesize
12KB

Download
memory/1976-109-0x0000000000BD8000-0x0000000000BDD000-memory.dmp

Filesize
20KB

Download
memory/1976-92-0x0000000000BBE000-0x0000000000BC1000-memory.dmp

Filesize
12KB

Download
memory/1976-111-0x0000000000BDE000-0x0000000000BE2000-memory.dmp

Filesize
16KB

Download
memory/1976-121-0x0000000000BD1000-0x0000000000BD5000-memory.dmp

Filesize
16KB

Download
memory/1976-122-0x0000000000BBF000-0x0000000000BC5000-memory.dmp

Filesize
24KB

Download
memory/1976-123-0x0000000000BD1000-0x0000000000BD5000-memory.dmp

Filesize
16KB

Download
memory/1976-124-0x0000000000BBF000-0x0000000000BC5000-memory.dmp

Filesize
24KB

Download
memory/1976-125-0x0000000000BB5000-0x0000000000BBC000-memory.dmp

Filesize
28KB

Download
memory/1976-126-0x0000000000BC1000-0x0000000000BC5000-memory.dmp

Filesize
16KB

Download
memory/1976-127-0x0000000000BB5000-0x0000000000BBE000-memory.dmp

Filesize
36KB

Download
memory/1976-128-0x0000000000BD8000-0x0000000000BDB000-memory.dmp

Filesize
12KB

Download
memory/1976-131-0x0000000000BD8000-0x0000000000BDC000-memory.dmp

Filesize
16KB

Download
memory/1976-130-0x0000000000BBD000-0x0000000000BC5000-memory.dmp

Filesize
32KB

Download
memory/1976-129-0x0000000000BD9000-0x0000000000BDD000-memory.dmp

Filesize
16KB

Download
memory/1976-132-0x0000000000BD6000-0x0000000000BDA000-memory.dmp

Filesize
16KB

Download
memory/1976-133-0x0000000000BCD000-0x0000000000BD0000-memory.dmp

Filesize
12KB

Download
memory/1976-134-0x0000000000BB5000-0x0000000000BB8000-memory.dmp

Filesize
12KB

Download
memory/1976-135-0x0000000000BBF000-0x0000000000BC5000-memory.dmp

Filesize
24KB

Download
memory/1976-136-0x0000000000B96000-0x0000000000BB5000-memory.dmp

Filesize
124KB

Download
memory/1976-137-0x0000000000BBE000-0x0000000000BC1000-memory.dmp

Filesize
12KB

Download
memory/1976-138-0x0000000000BB5000-0x0000000000BBA000-memory.dmp

Filesize
20KB

Download
memory/1976-139-0x0000000000BB7000-0x0000000000BBA000-memory.dmp

Filesize
12KB

Download
memory/1976-140-0x0000000000BDA000-0x0000000000BDD000-memory.dmp

Filesize
12KB

Download
memory/1976-141-0x0000000000BBD000-0x0000000000BC5000-memory.dmp

Filesize
32KB

Download