hancitor | 36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925

Analysis

max time kernel
203s
max time network
207s
platform
windows10_x64
resource
win10-20220223-en
submitted
28-03-2022 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TopjQOYSxpfdTGMA.doc
Size

943KB
MD5

45a45e8755d528a77314b2be258614df
SHA1

ac76e90a575865376c80a06c9f445110ff9e8819
SHA256

36167dcde57f9a12723e0af7f9ea7aba88dd8cc1bdd74b62df1f86aa9d2ba925
SHA512

47e687de6504ae5ec5eee0f1012c20c7b8cfc35f0efd203718b2c87160c1523087268a50a9a5b7177431325d79da8f7e247f4d5bb4e0dadcd14d5e9c960c0b2a

Score

10^/10

hancitor 2103_punosh downloader suricata

Malware Config

Extracted

Family

hancitor

Botnet

2103_punosh

http://nanogeelr.com/9/forum.php

http://ockpitehou.ru/9/forum.php

http://lumentsawfu.ru/9/forum.php

Signatures

Hancitor
Hancitor is downloader used to deliver other malware families.
downloader hancitor

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

extrac32.exerundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2180	3404	extrac32.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2756	3404	rundll32.exe	WINWORD.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	204	348	rundll32.exe	WINWORD.EXE

suricata: ET MALWARE Suspected Win32/Hancitor Checkin
suricata: ET MALWARE Suspected Win32/Hancitor Checkin
suricata
Blocklisted process makes network request 6 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

12 2024 rundll32.exe
15 2024 rundll32.exe
29 2188 rundll32.exe
31 2188 rundll32.exe
35 2024 rundll32.exe
36 2188 rundll32.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2024 rundll32.exe
2188 rundll32.exe
2188 rundll32.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 api.ipify.org
11 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
12	2024	rundll32.exe
15	2024	rundll32.exe
29	2188	rundll32.exe
31	2188	rundll32.exe
35	2024	rundll32.exe
36	2188	rundll32.exe

flow	ioc
28	api.ipify.org
11	api.ipify.org

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings	cmd.exe

NTFS ADS 5 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{230AACC6-A3FD-40BF-B241-70A7AFF8F6F4}\borw4.doc:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{230AACC6-A3FD-40BF-B241-70A7AFF8F6F4}\borw4 (2).doc:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{230AACC6-A3FD-40BF-B241-70A7AFF8F6F4}\helf.hp_:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{C2529970-917E-4E64-9284-0953F4B4A323}\borw4.doc:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{C2529970-917E-4E64-9284-0953F4B4A323}\borw4 (2).doc:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3404 WINWORD.EXE
3404 WINWORD.EXE
348 WINWORD.EXE
348 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

rundll32.exepowershell.exerundll32.exe

pid	process
2024	rundll32.exe
2024	rundll32.exe
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe
2188	rundll32.exe
2188	rundll32.exe
2024	rundll32.exe
2024	rundll32.exe
2188	rundll32.exe
2188	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4076 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4076	powershell.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid	process
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
3404	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE
348	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WINWORD.EXErundll32.exepowershell.execmd.exeWINWORD.EXErundll32.exe

description	pid	process	target process
PID 3404 wrote to memory of 2152	3404	WINWORD.EXE	splwow64.exe
PID 3404 wrote to memory of 2152	3404	WINWORD.EXE	splwow64.exe
PID 3404 wrote to memory of 2180	3404	WINWORD.EXE	extrac32.exe
PID 3404 wrote to memory of 2180	3404	WINWORD.EXE	extrac32.exe
PID 3404 wrote to memory of 2756	3404	WINWORD.EXE	rundll32.exe
PID 3404 wrote to memory of 2756	3404	WINWORD.EXE	rundll32.exe
PID 2756 wrote to memory of 2024	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 2024	2756	rundll32.exe	rundll32.exe
PID 2756 wrote to memory of 2024	2756	rundll32.exe	rundll32.exe
PID 4076 wrote to memory of 3440	4076	powershell.exe	cmd.exe
PID 4076 wrote to memory of 3440	4076	powershell.exe	cmd.exe
PID 3440 wrote to memory of 348	3440	cmd.exe	WINWORD.EXE
PID 3440 wrote to memory of 348	3440	cmd.exe	WINWORD.EXE
PID 348 wrote to memory of 204	348	WINWORD.EXE	rundll32.exe
PID 348 wrote to memory of 204	348	WINWORD.EXE	rundll32.exe
PID 204 wrote to memory of 2188	204	rundll32.exe	rundll32.exe
PID 204 wrote to memory of 2188	204	rundll32.exe	rundll32.exe
PID 204 wrote to memory of 2188	204	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TopjQOYSxpfdTGMA.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2152

C:\Windows\SYSTEM32\extrac32.exe
extrac32.exe helff.hp_
2⤵
- Process spawned unexpected child process
PID:2180

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe helf.hpl,YDCFOMQICNKAUXS
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe helf.hpl,YDCFOMQICNKAUXS
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3440

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\TopjQOYSxpfdTGMA.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SYSTEM32\rundll32.exe
rundll32.exe helf.hpl,YDCFOMQICNKAUXS
4⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:204

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe helf.hpl,YDCFOMQICNKAUXS
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
471B

MD5
8fb27bd10dad40fe34666e7660fcf690

SHA1
6c5759568bba1866c41b5caee67360bcf68cfb95

SHA256
b330b88925be5cb640e017a1ae1c83256455a771288cefe8bb48762c9e1ca655

SHA512
fc5026e546af8c35284e605635a7587ef9a17e4dad3110d66f5a929e06b80e477358f1a526e77f1c108221e846685c9936d22050e3891c9336df3f68b9264ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Filesize
446B

MD5
9ac50884db9d20ffd09f6d5dbf9b07e4

SHA1
b45d68c5953929b93335595299ba355578f40c6a

SHA256
7b4dd1ff87b6cb3d47166aba4fba3eb84c0afba5b736fd9eeb4994aa25565355

SHA512
214e358fdb2d0e470c3e191a1854ce963be49a06a788fb9838c5d2a5fff6aca5ca4ee4fdac2b2598e9055b4f641101c5e8767a16a96b7218c0c89b12e513b2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\22F3F4C2-CCA6-43D2-A355-13FD210C7F2C
Filesize
142KB

MD5
e7a5960166d08e8da41d390478c806c5

SHA1
c4cfb49f470c9fbaed81208dc77c5bf73bfd2e82

SHA256
4c29fb48b764d1b0a685254b8e6c920c46914e30846373259e625e264833ddb8

SHA512
df8234f49abd8e0e5a014e8de26102be1483b6768a7feec629673d651fce38b0130d5bfbb3f4d00fd39b6f92b3bda9078b2779cb210ed79c32c5117ab7b57709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
Filesize
24KB

MD5
b00f3f56c104c94e03cd2ad8452c14e7

SHA1
51b78e45015e0d9d62fbdf31b75a22535a107204

SHA256
ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

SHA512
93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\helff.hp_
Filesize
799KB

MD5
0e71bc3c48b2cb1b5fcd107c2a1eb772

SHA1
9276387d7ba0f9a92b743c6d7cca30ce92752308

SHA256
d71ba9640c1c7bb714cd772a6a8c5f62affa9230e3eb68dcdd89793452178c40

SHA512
bfe545e8bedd2e7582811fbb88d6286ed23b985c68fed55340309b3baf6c85f3b8ec2b3cf4b85d65c36ceba5f034c0dc8773fc0c5d0bad7f0c8499d0b5a9fcdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
4f9e8f18a1f1baf5ea804a27548afcba

SHA1
62d1e716994582884195933700a25e0c42d9cfc2

SHA256
9df541d23a9faa43a04df9ff8e0baced74e4f547ad375adfc83ded6e5635bc8a

SHA512
23810daccea76504054fb0d6735173cd7d3b3bddaef56934a54ac60cb1ca427cd873489e047fde47a6163eb812ae1e9c511d08206ae4a97a6beadbd7eec05606

Download Submit
\??\c:\users\admin\appdata\roaming\microsoft\templates\helf.hpl
Filesize
1.7MB

MD5
5df3d0f5c72cf5e5f5558d0427fbe188

SHA1
7f3d18d51f70b226fd93cdcc50b30f24584e54a9

SHA256
446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f

SHA512
85b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Templates\helf.hpl
Filesize
1.7MB

MD5
5df3d0f5c72cf5e5f5558d0427fbe188

SHA1
7f3d18d51f70b226fd93cdcc50b30f24584e54a9

SHA256
446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f

SHA512
85b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Templates\helf.hpl
Filesize
1.7MB

MD5
5df3d0f5c72cf5e5f5558d0427fbe188

SHA1
7f3d18d51f70b226fd93cdcc50b30f24584e54a9

SHA256
446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f

SHA512
85b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Templates\helf.hpl
Filesize
1.7MB

MD5
5df3d0f5c72cf5e5f5558d0427fbe188

SHA1
7f3d18d51f70b226fd93cdcc50b30f24584e54a9

SHA256
446322c5499d41edee0ca0b83aba36f0cc74ed4743a2e50e6eb36d2a3469d85f

SHA512
85b4bac6afcb5e909ba6b805ef14479305a785a68b99893287bdb07c5a55e51db8f22c2ab5343d7898e07a8de424357377aacd8c5c1288e06d07fefaa2d0c757

Download Submit
memory/204-700-0x0000000000000000-mapping.dmp

Download
memory/348-478-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/348-481-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/348-480-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/348-479-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/348-477-0x0000000000000000-mapping.dmp

Download
memory/2024-323-0x0000000000000000-mapping.dmp

Download
memory/2024-325-0x0000000002D70000-0x0000000002D77000-memory.dmp

Filesize
28KB

Download
memory/2024-326-0x0000000002D90000-0x0000000002D98000-memory.dmp

Filesize
32KB

Download
memory/2152-262-0x0000000000000000-mapping.dmp

Download
memory/2180-317-0x0000000000000000-mapping.dmp

Download
memory/2188-704-0x0000000004070000-0x000000000422C000-memory.dmp

Filesize
1.7MB

Download
memory/2188-706-0x0000000000780000-0x0000000000788000-memory.dmp

Filesize
32KB

Download
memory/2188-701-0x0000000000000000-mapping.dmp

Download
memory/2188-705-0x0000000000760000-0x0000000000767000-memory.dmp

Filesize
28KB

Download
memory/2756-321-0x0000000000000000-mapping.dmp

Download
memory/3404-116-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3404-115-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3404-416-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3404-418-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3404-242-0x000002597510C000-0x000002597510E000-memory.dmp

Filesize
8KB

Download
memory/3404-117-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3404-417-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3404-114-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3404-419-0x00007FF9B61E0000-0x00007FF9B61F0000-memory.dmp

Filesize
64KB

Download
memory/3440-475-0x0000000000000000-mapping.dmp

Download
memory/4076-430-0x0000020445390000-0x0000020445392000-memory.dmp

Filesize
8KB

Download
memory/4076-425-0x000002042D1D0000-0x000002042D1F2000-memory.dmp

Filesize
136KB

Download
memory/4076-431-0x0000020445393000-0x0000020445395000-memory.dmp

Filesize
8KB

Download
memory/4076-448-0x00000204478A0000-0x00000204478DC000-memory.dmp

Filesize
240KB

Download
memory/4076-459-0x0000020447960000-0x00000204479D6000-memory.dmp

Filesize
472KB

Download