a70c2aca08d9d8124c57b373d3f8f39b55fa1fb44c5358bc2a4b21a4327187b4

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 03:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe
Size

719KB
MD5

b74af6f8231cb0dd8dbaa270e215a7bb
SHA1

119a5be8d17efd8e29db166372ccd544707cf846
SHA256

267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1
SHA512

b5cf67be9aa68ddc55fecd02d2bcf3f4adad23eaa76086158ec85b689de0f8ab6571592d15ec8811d7d29b48f9572b7ad2433f0e22460894957877a7d9cd5944
SSDEEP

12288:2Lo1xVGJXXTtZB3UqW7BCiTlsdubTPcaX5DRgzp1carS8tnoFJTiha:rGpTtZ5g7YKlsdUEaXtw728FoF5i

Score

10^/10

persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2568 created 1180	2568	Carpet.pif	16
PID 2568 created 1180	2568	Carpet.pif	16

Deletes itself 1 IoCs

pid	Process
2568	Carpet.pif

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaFit.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaFit.url	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2568	Carpet.pif
2816	jsc.exe
352	jsc.exe
2984	jsc.exe
1304	jsc.exe

Loads dropped DLL 3 IoCs

pid	Process
2064	cmd.exe
2568	Carpet.pif
2132	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1584	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
572	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2728	tasklist.exe
2892	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2524	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	tasklist.exe
Token: SeDebugPrivilege	2892	tasklist.exe
Token: SeDebugPrivilege	2816	jsc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2568	Carpet.pif
2568	Carpet.pif
2568	Carpet.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 3048	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	28
PID 624 wrote to memory of 3048	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	28
PID 624 wrote to memory of 3048	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	28
PID 624 wrote to memory of 3048	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	28
PID 624 wrote to memory of 2064	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	29
PID 624 wrote to memory of 2064	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	29
PID 624 wrote to memory of 2064	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	29
PID 624 wrote to memory of 2064	624	267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe	29
PID 2064 wrote to memory of 2728	2064	cmd.exe	31
PID 2064 wrote to memory of 2728	2064	cmd.exe	31
PID 2064 wrote to memory of 2728	2064	cmd.exe	31
PID 2064 wrote to memory of 2728	2064	cmd.exe	31
PID 2064 wrote to memory of 2732	2064	cmd.exe	32
PID 2064 wrote to memory of 2732	2064	cmd.exe	32
PID 2064 wrote to memory of 2732	2064	cmd.exe	32
PID 2064 wrote to memory of 2732	2064	cmd.exe	32
PID 2064 wrote to memory of 2892	2064	cmd.exe	34
PID 2064 wrote to memory of 2892	2064	cmd.exe	34
PID 2064 wrote to memory of 2892	2064	cmd.exe	34
PID 2064 wrote to memory of 2892	2064	cmd.exe	34
PID 2064 wrote to memory of 2688	2064	cmd.exe	35
PID 2064 wrote to memory of 2688	2064	cmd.exe	35
PID 2064 wrote to memory of 2688	2064	cmd.exe	35
PID 2064 wrote to memory of 2688	2064	cmd.exe	35
PID 2064 wrote to memory of 2768	2064	cmd.exe	36
PID 2064 wrote to memory of 2768	2064	cmd.exe	36
PID 2064 wrote to memory of 2768	2064	cmd.exe	36
PID 2064 wrote to memory of 2768	2064	cmd.exe	36
PID 2064 wrote to memory of 2856	2064	cmd.exe	37
PID 2064 wrote to memory of 2856	2064	cmd.exe	37
PID 2064 wrote to memory of 2856	2064	cmd.exe	37
PID 2064 wrote to memory of 2856	2064	cmd.exe	37
PID 2064 wrote to memory of 2780	2064	cmd.exe	38
PID 2064 wrote to memory of 2780	2064	cmd.exe	38
PID 2064 wrote to memory of 2780	2064	cmd.exe	38
PID 2064 wrote to memory of 2780	2064	cmd.exe	38
PID 2064 wrote to memory of 2568	2064	cmd.exe	39
PID 2064 wrote to memory of 2568	2064	cmd.exe	39
PID 2064 wrote to memory of 2568	2064	cmd.exe	39
PID 2064 wrote to memory of 2568	2064	cmd.exe	39
PID 2064 wrote to memory of 2524	2064	cmd.exe	40
PID 2064 wrote to memory of 2524	2064	cmd.exe	40
PID 2064 wrote to memory of 2524	2064	cmd.exe	40
PID 2064 wrote to memory of 2524	2064	cmd.exe	40
PID 2568 wrote to memory of 2596	2568	Carpet.pif	41
PID 2568 wrote to memory of 2596	2568	Carpet.pif	41
PID 2568 wrote to memory of 2596	2568	Carpet.pif	41
PID 2568 wrote to memory of 2596	2568	Carpet.pif	41
PID 2568 wrote to memory of 2816	2568	Carpet.pif	43
PID 2568 wrote to memory of 2816	2568	Carpet.pif	43
PID 2568 wrote to memory of 2816	2568	Carpet.pif	43
PID 2568 wrote to memory of 2816	2568	Carpet.pif	43
PID 2568 wrote to memory of 2816	2568	Carpet.pif	43
PID 2568 wrote to memory of 2816	2568	Carpet.pif	43
PID 2816 wrote to memory of 2132	2816	jsc.exe	44
PID 2816 wrote to memory of 2132	2816	jsc.exe	44
PID 2816 wrote to memory of 2132	2816	jsc.exe	44
PID 2816 wrote to memory of 2132	2816	jsc.exe	44
PID 2132 wrote to memory of 1032	2132	cmd.exe	46
PID 2132 wrote to memory of 1032	2132	cmd.exe	46
PID 2132 wrote to memory of 1032	2132	cmd.exe	46
PID 2132 wrote to memory of 1032	2132	cmd.exe	46
PID 2132 wrote to memory of 572	2132	cmd.exe	47
PID 2132 wrote to memory of 572	2132	cmd.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1180
- C:\Users\Admin\AppData\Local\Temp\267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe
  "C:\Users\Admin\AppData\Local\Temp\267ea6b4497e79e884e06a78dbadb0ac85e7da70987a6230d299b1a3aae2edd1.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\TapiUnattend.exe
    TapiUnattend.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /k move Ko Ko.bat & Ko.bat & exit
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:2732
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe"
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 15252
      4⤵
      PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Firefox + Jerusalem + Scales + Penny + Refund 15252\Carpet.pif
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Boring + Campus 15252\u
      4⤵
      PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\15252\Carpet.pif
      15252\Carpet.pif 15252\u
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Deletes itself
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2568
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:2524
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaFit.url" & echo URL="C:\Users\Admin\AppData\Local\VitalNourish Technologies Inc\VitaFit.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VitaFit.url" & exit
  2⤵
  - Drops startup file
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\15252\jsc.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\15252\jsc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "jsc" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\15252\jsc.exe" &&START "" "C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:1032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:572
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn "jsc" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1584
  - - C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe
      "C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe"
      4⤵
      Executes dropped EXE
      PID:352

C:\Windows\system32\taskeng.exe
taskeng.exe {DCA8566C-8E77-4C1A-977D-36CD7BFEF4F9} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
PID:2216
- C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe
  C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe
  C:\Users\Admin\AppData\Local\RobloxSecurity\jsc.exe
  2⤵
  - Executes dropped EXE
  PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\15252\u

Filesize
621KB

MD5
9dc21ea874da4ff1e358afe3f3c46f85

SHA1
d07ff80f1790d72dbd71b6394c099840f5accb92

SHA256
9a7dd287ff7dea4c63a7ee26a805c2cad925415bd8cfab9461171979e6380b70

SHA512
981fd7413ddd358e1cbcb8eefe052d6a61d1a4dcd3f1f2ada9f881e19c738f73ec6fbced032c769f13740959f39e5d7b1118f3331848bbf103bc6f4a670dd15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Boring

Filesize
423KB

MD5
d2d413509281b450ec85a23da848cd7c

SHA1
df131db8197c125b242a960661b213d549336442

SHA256
746b9d5a765456c495152c84538fd2eae3fabf3d956205baa789fb4af0e3701e

SHA512
bd220ba76c341613dec1deed0703796f68c47a94e9326c7e974a6f402eb562c00b08cde39d24c9c0d797b3870b686e76154b1bd41c8bab74627febc0b4f3f297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Campus

Filesize
198KB

MD5
f46b3971a933d5f7a41968bd2a421eda

SHA1
3821d7879028b16d0f6860ca1ee2e11386cee052

SHA256
85896ae3b99d84e09cfe8a9212653ccf6fd310592ed09a2af5d4a0f33ef011d1

SHA512
58221bcd67a52772f9a4599d66dd3a118d617dcac826a6c4bf1ce5cc1bbe9247aa74d29e6c5d90e4c8a584d808f9a5648f28212ac1cf63f74ab0b297fe033a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Firefox

Filesize
238KB

MD5
f0b0088291bd53c8a8ccdde80b27c1ea

SHA1
edc14809a25bacd6a8d573519430c5a0b7bdabf3

SHA256
854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96

SHA512
df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jerusalem

Filesize
133KB

MD5
89b72402fb2128e801afca536ddbd408

SHA1
788d8dabbee14f476583b6fa5bb1ccecb8753e7b

SHA256
c402f2024c451dfcd905910e0f8eabdbd9b03a297d650998c815c67012f62351

SHA512
3830e800dac9492544a4386da090e9c05a1bee8dd8ebcba52b4c7ec6b24553a94910a86574b7d52468a50973f9816c555932c90d96577087624184cb15fb80bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko

Filesize
12KB

MD5
a7cb29cfd2c5c111bda20a1ec23c2525

SHA1
237cb8bf001552eabab02b3dd76f151c1f3ad3f2

SHA256
371547494bc44eed143aed7b24f0d25436997f1c40c8fc51a95d6da7fc97f0bf

SHA512
f8207af7e5aab6c927a80a1339d3e3da7921ca58c1e9f5c03896f82ca9e519f4871caf36e7fad96eca030ac2794bdd789d5288150be4fddcfe0a0dc64110d3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Penny

Filesize
265KB

MD5
ec877d12379bec45229c6351119e8ac1

SHA1
23de00bb8cddc02a601b4cad430f7e140f801d31

SHA256
ac1ec658b7b59793fe15f5750bb0674320f93ea5c663c3511f8b9753aa60e1fd

SHA512
c6fe4346860fa3892ad78aff110a8251c5cfacb59344cf2dbb994230c184de145a9f2c438ce022aa95d4815172726b804fd1e64265cf1f14ac3f83a317490fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Refund

Filesize
59KB

MD5
a408816ba561c80c045f4252eef49d19

SHA1
32fb286e4180cd360114540f83d2fee40e334659

SHA256
17cd1dfcf929e6c3c98e9ea6cd5c5bca23eaa263193cbc34d51929b0c349ec07

SHA512
4c6c3f165167fb884f63012a6037d83f499644b3893657aab382d378ac4d6d2d844b88e3f9b7744ad5706187c2dbe8c7ccdecfb122bc1a237b9e916e4a433a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Scales

Filesize
229KB

MD5
80ee75fbe1f762a36cc970e75b25c8b9

SHA1
57baafd967fc65ba02abb56a311659321ec0828a

SHA256
84da8792f5b41537bad1bdaa6c2f62d17f5e0ece583f62eedd3717f62945b894

SHA512
bbd6b84537ec6f2ec3937c943bc965d1ccc811b82eaf67dedd5d1646b98258c3551c498e1953b55f31ebe2dd02bfca00ea95d2ae8cfe6cbf63d6433108aa6360

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\15252\Carpet.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\15252\jsc.exe

Filesize
45KB

MD5
f1feead2143c07ca411d82a29fa964af

SHA1
2198e7bf402773757bb2a25311ffd2644e5a1645

SHA256
8f2800ac8af72e8038e146b3988a30651952f20ed6cdf7be3ae4709fbb026af1

SHA512
e7e2266ec862a793da7cea01c926b7a874453cf2efb0b4b77776c26042dc2ded74f17c390fad97bd2d8c0c4971a1b9d9e6c705a13edbc9e48570922e5e6cc9df

Download Submit
memory/352-58-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/352-56-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/352-55-0x0000000000B90000-0x0000000000B9E000-memory.dmp

Filesize
56KB

Download
memory/352-59-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/352-57-0x00000000008D0000-0x000000000098A000-memory.dmp

Filesize
744KB

Download
memory/1304-67-0x00000000012C0000-0x00000000012CE000-memory.dmp

Filesize
56KB

Download
memory/1304-68-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/1304-69-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/1304-70-0x0000000074170000-0x000000007485E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-36-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2816-48-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2816-51-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-47-0x0000000073CA0000-0x000000007438E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-45-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/2816-43-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/2816-40-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/2984-61-0x00000000012C0000-0x00000000012CE000-memory.dmp

Filesize
56KB

Download
memory/2984-62-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download
memory/2984-64-0x0000000001200000-0x00000000012BA000-memory.dmp

Filesize
744KB

Download
memory/2984-63-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2984-65-0x0000000074130000-0x000000007481E000-memory.dmp

Filesize
6.9MB

Download