ce90d07b63358dc14f246849d5a04b41692c849cdd2de04c2dc8b0e161a45b3e

Analysis

max time kernel
145s
max time network
114s
platform
windows7_x64
resource
win7v200410
submitted
27/04/2020, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

F820.tmp.exe
Size

813KB
MD5

42e683f3f24484bd47f079b114002571
SHA1

4a7840d449e1454561a34c49f7d91224ef892e2c
SHA256

ce90d07b63358dc14f246849d5a04b41692c849cdd2de04c2dc8b0e161a45b3e
SHA512

fff26cf5458487b88872f5150cf3ee10a2d6b6a94a16e05daf672fb7407c0e417d8477b0d8a5ab96f417669c16149bea98a8075ab7609379cce7006a5be69c8f

Score

8^/10

spyware discovery evasion persistence

Malware Config

Signatures

Suspicious use of WriteProcessMemory 77 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1640	2024	F820.tmp.exe	27
PID 2024 wrote to memory of 1640	2024	F820.tmp.exe	27
PID 2024 wrote to memory of 1640	2024	F820.tmp.exe	27
PID 2024 wrote to memory of 1640	2024	F820.tmp.exe	27
PID 2024 wrote to memory of 996	2024	F820.tmp.exe	28
PID 2024 wrote to memory of 996	2024	F820.tmp.exe	28
PID 2024 wrote to memory of 996	2024	F820.tmp.exe	28
PID 2024 wrote to memory of 996	2024	F820.tmp.exe	28
PID 996 wrote to memory of 1748	996	F820.tmp.exe	29
PID 996 wrote to memory of 1748	996	F820.tmp.exe	29
PID 996 wrote to memory of 1748	996	F820.tmp.exe	29
PID 996 wrote to memory of 1748	996	F820.tmp.exe	29
PID 996 wrote to memory of 1748	996	F820.tmp.exe	29
PID 996 wrote to memory of 1748	996	F820.tmp.exe	29
PID 996 wrote to memory of 1748	996	F820.tmp.exe	29
PID 1748 wrote to memory of 1780	1748	updatewin1.exe	30
PID 1748 wrote to memory of 1780	1748	updatewin1.exe	30
PID 1748 wrote to memory of 1780	1748	updatewin1.exe	30
PID 1748 wrote to memory of 1780	1748	updatewin1.exe	30
PID 1748 wrote to memory of 1780	1748	updatewin1.exe	30
PID 1748 wrote to memory of 1780	1748	updatewin1.exe	30
PID 1748 wrote to memory of 1780	1748	updatewin1.exe	30
PID 996 wrote to memory of 1820	996	F820.tmp.exe	32
PID 996 wrote to memory of 1820	996	F820.tmp.exe	32
PID 996 wrote to memory of 1820	996	F820.tmp.exe	32
PID 996 wrote to memory of 1820	996	F820.tmp.exe	32
PID 996 wrote to memory of 1820	996	F820.tmp.exe	32
PID 996 wrote to memory of 1820	996	F820.tmp.exe	32
PID 996 wrote to memory of 1820	996	F820.tmp.exe	32
PID 1780 wrote to memory of 1840	1780	updatewin1.exe	33
PID 1780 wrote to memory of 1840	1780	updatewin1.exe	33
PID 1780 wrote to memory of 1840	1780	updatewin1.exe	33
PID 1780 wrote to memory of 1840	1780	updatewin1.exe	33
PID 1780 wrote to memory of 1840	1780	updatewin1.exe	33
PID 1780 wrote to memory of 1840	1780	updatewin1.exe	33
PID 1780 wrote to memory of 1840	1780	updatewin1.exe	33
PID 996 wrote to memory of 1568	996	F820.tmp.exe	35
PID 996 wrote to memory of 1568	996	F820.tmp.exe	35
PID 996 wrote to memory of 1568	996	F820.tmp.exe	35
PID 996 wrote to memory of 1568	996	F820.tmp.exe	35
PID 1780 wrote to memory of 1584	1780	updatewin1.exe	37
PID 1780 wrote to memory of 1584	1780	updatewin1.exe	37
PID 1780 wrote to memory of 1584	1780	updatewin1.exe	37
PID 1780 wrote to memory of 1584	1780	updatewin1.exe	37
PID 1780 wrote to memory of 1584	1780	updatewin1.exe	37
PID 1780 wrote to memory of 1584	1780	updatewin1.exe	37
PID 1780 wrote to memory of 1584	1780	updatewin1.exe	37
PID 1584 wrote to memory of 1164	1584	powershell.exe	39
PID 1584 wrote to memory of 1164	1584	powershell.exe	39
PID 1584 wrote to memory of 1164	1584	powershell.exe	39
PID 1584 wrote to memory of 1164	1584	powershell.exe	39
PID 1584 wrote to memory of 1164	1584	powershell.exe	39
PID 1584 wrote to memory of 1164	1584	powershell.exe	39
PID 1584 wrote to memory of 1164	1584	powershell.exe	39
PID 1780 wrote to memory of 1696	1780	updatewin1.exe	41
PID 1780 wrote to memory of 1696	1780	updatewin1.exe	41
PID 1780 wrote to memory of 1696	1780	updatewin1.exe	41
PID 1780 wrote to memory of 1696	1780	updatewin1.exe	41
PID 1780 wrote to memory of 1724	1780	updatewin1.exe	43
PID 1780 wrote to memory of 1724	1780	updatewin1.exe	43
PID 1780 wrote to memory of 1724	1780	updatewin1.exe	43
PID 1780 wrote to memory of 1724	1780	updatewin1.exe	43
PID 1780 wrote to memory of 1724	1780	updatewin1.exe	43
PID 1780 wrote to memory of 1724	1780	updatewin1.exe	43
PID 1780 wrote to memory of 1724	1780	updatewin1.exe	43
PID 1568 wrote to memory of 1580	1568	5.exe	45
PID 1568 wrote to memory of 1580	1568	5.exe	45
PID 1568 wrote to memory of 1580	1568	5.exe	45
PID 1568 wrote to memory of 1580	1568	5.exe	45
PID 1580 wrote to memory of 1460	1580	cmd.exe	47
PID 1580 wrote to memory of 1460	1580	cmd.exe	47
PID 1580 wrote to memory of 1460	1580	cmd.exe	47
PID 1580 wrote to memory of 1460	1580	cmd.exe	47
PID 520 wrote to memory of 700	520	taskeng.exe	54
PID 520 wrote to memory of 700	520	taskeng.exe	54
PID 520 wrote to memory of 700	520	taskeng.exe	54
PID 520 wrote to memory of 700	520	taskeng.exe	54

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1460	taskkill.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1460	taskkill.exe

Makes http(s) request 19 IoCs

Contacts server via http/https, possibly for C2 communication.

description	flow	ioc
HTTP URL	15	http://akbz.top/files/penelop/3.exe
HTTP URL	20	http://evergladsea.com/517
HTTP URL	20	http://evergladsea.com/freebl3.dll
HTTP URL	20	http://evergladsea.com/mozglue.dll
HTTP URL	20	http://evergladsea.com/msvcp140.dll
HTTP URL	20	http://evergladsea.com/vcruntime140.dll
HTTP URL	11	http://akbz.top/files/penelop/updatewin1.exe
HTTP URL	12	http://akbz.top/ydtftysdtyftysdfsdpen3/get.php?pid=7FE0677D783F4AD4240B4688EDAACCFA&first=true
HTTP URL	31	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
HTTP URL	22	http://ip-api.com/line/
HTTP URL	14	http://akbz.top/files/penelop/updatewin.exe
HTTP URL	20	http://evergladsea.com/nss3.dll
HTTP URL	20	http://evergladsea.com/
HTTP URL	6	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
HTTP URL	9	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
HTTP URL	17	http://akbz.top/files/penelop/5.exe
HTTP URL	20	http://evergladsea.com/softokn3.dll
HTTP URL	13	http://akbz.top/files/penelop/updatewin2.exe
HTTP URL	16	http://akbz.top/files/penelop/4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Loads dropped DLL 16 IoCs

pid	Process
996	F820.tmp.exe
1748	updatewin1.exe
1748	updatewin1.exe
1748	updatewin1.exe
1748	updatewin1.exe
1748	updatewin1.exe
1780	updatewin1.exe
1780	updatewin1.exe
1780	updatewin1.exe
996	F820.tmp.exe
996	F820.tmp.exe
996	F820.tmp.exe
1568	5.exe
1568	5.exe
1568	5.exe
1568	5.exe

Executes dropped EXE 5 IoCs

pid	Process
1748	updatewin1.exe
1780	updatewin1.exe
1820	updatewin2.exe
1568	5.exe
700	F820.tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1656	NOTEPAD.EXE

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3765897441-2376744223-3151462503-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5def4699-2071-43af-b361-72c272756e78\\F820.tmp.exe\" --AutoStart"	F820.tmp.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2024	F820.tmp.exe
2024	F820.tmp.exe
996	F820.tmp.exe
996	F820.tmp.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
1584	powershell.exe
1584	powershell.exe
1568	5.exe
1568	5.exe
1568	5.exe
1568	5.exe
1164	powershell.exe
996	F820.tmp.exe
700	F820.tmp.exe
700	F820.tmp.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1640	icacls.exe

Checks for installed software on the system 1 TTPs 28 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	5.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}\DisplayName	5.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName	5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName	5.exe

Disables Task Manager via registry modification
evasion

C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:2024
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\F820.tmp.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Suspicious use of WriteProcessMemory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:996
- - C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
    "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    - Loads dropped DLL
    - Executes dropped EXE
    PID:1748
  - - C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe
      "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin1.exe" --Admin
      4⤵
      Suspicious use of WriteProcessMemory
      Loads dropped DLL
      Executes dropped EXE
      PID:1780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        5⤵
        Suspicious use of WriteProcessMemory
        Suspicious use of AdjustPrivilegeToken
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
    - - C:\Program Files\Windows Defender\mpcmdrun.exe
        
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        5⤵
        
        PID:1696
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        5⤵
        
        PID:1724
- - C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe
    "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\updatewin2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:1820
- - C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe
    "C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe"
    3⤵
    - Loads dropped DLL
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Checks for installed software on the system
    PID:1568
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\41a7afab-c66a-4648-b64f-99eccafcb66c\5.exe & exit
      4⤵
      PID:1580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Kills process with taskkill
        
        PID:1460

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1388

C:\Windows\system32\taskeng.exe
taskeng.exe {969DBEDC-FA5C-43ED-ADFC-B54FB9707DB8} S-1-5-21-3765897441-2376744223-3151462503-1000:BKIWADLA\Admin:Interactive:[1]
1⤵
PID:520
- C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe
  C:\Users\Admin\AppData\Local\5def4699-2071-43af-b361-72c272756e78\F820.tmp.exe --Task
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:700

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/700-928-0x00000000045B0000-0x00000000045C1000-memory.dmp

Filesize
68KB

Download
memory/700-927-0x0000000002D30000-0x0000000002DC1000-memory.dmp

Filesize
580KB

Download
memory/996-3-0x0000000000320000-0x00000000003B1000-memory.dmp

Filesize
580KB

Download
memory/996-59-0x0000000005DB0000-0x0000000005DC1000-memory.dmp

Filesize
68KB

Download
memory/996-57-0x00000000061C0000-0x00000000061D1000-memory.dmp

Filesize
68KB

Download
memory/996-56-0x0000000005DB0000-0x0000000005DC1000-memory.dmp

Filesize
68KB

Download
memory/996-4-0x0000000004770000-0x0000000004781000-memory.dmp

Filesize
68KB

Download
memory/1568-32-0x0000000000B70000-0x0000000000B81000-memory.dmp

Filesize
68KB

Download
memory/1568-31-0x000000000030A000-0x000000000030B000-memory.dmp

Filesize
4KB

Download
memory/1748-12-0x0000000002000000-0x0000000002011000-memory.dmp

Filesize
68KB

Download
memory/1748-13-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1780-20-0x0000000001FB0000-0x0000000001FC1000-memory.dmp

Filesize
68KB

Download
memory/1780-23-0x0000000000512000-0x0000000000513000-memory.dmp

Filesize
4KB

Download
memory/1820-25-0x000000000059F000-0x00000000005A0000-memory.dmp

Filesize
4KB

Download
memory/1820-24-0x0000000001F30000-0x0000000001F41000-memory.dmp

Filesize
68KB

Download
memory/2024-0-0x0000000000300000-0x0000000000391000-memory.dmp

Filesize
580KB

Download
memory/2024-1-0x00000000045B0000-0x00000000045C1000-memory.dmp

Filesize
68KB

Download