0fc002fd9f20226d6fcad8a4a447c83cd5b563c8a6f005f2ccfd36a67963206f

Resubmissions

19/10/2022, 18:57

221019-xl8njsdbcr 8

19/10/2022, 18:39

221019-xa4v8acedr 8

19/10/2022, 18:00

221019-wldyhaage6 4

Analysis

max time kernel
796s
max time network
794s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50.docm
Size

143KB
MD5

f769f67681707e8f69ecdf9e62fb944c
SHA1

c5f6a48fa52a279e1f3424b97662b479716229af
SHA256

45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50
SHA512

779caa9c7efac57edc6078d212b04a930d66fa10b50967bb1b9131c9e240f40f09e6f81812583770e7ffac51d7d0e23b57e20e6a7719d73ab2f1673cb17943a9
SSDEEP

3072:2e3HSOTf6Mqfb041n8Vj9SmUNRzw16vDhLfByVBZsqnCVL:2eiObpS1nY9fqzjvDZoDsqngL

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
78	4352	powershell.exe
81	5048	powershell.exe
83	1080	powershell.exe
84	2324	powershell.exe
85	368	powershell.exe
86	4988	powershell.exe
87	2240	powershell.exe
88	4396	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	wscript.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3668	1968	WerFault.exe	98

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
4468	notepad.exe
4800	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
532	WINWORD.EXE
532	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4352	powershell.exe
4352	powershell.exe
5048	powershell.exe
5048	powershell.exe
1080	powershell.exe
1080	powershell.exe
2324	powershell.exe
2324	powershell.exe
368	powershell.exe
368	powershell.exe
4988	powershell.exe
4988	powershell.exe
2240	powershell.exe
2240	powershell.exe
4396	powershell.exe
4396	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	368	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
532	WINWORD.EXE
532	WINWORD.EXE
532	WINWORD.EXE
532	WINWORD.EXE
532	WINWORD.EXE
532	WINWORD.EXE
532	WINWORD.EXE
532	WINWORD.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1080	1524	WScript.exe	105
PID 1524 wrote to memory of 1080	1524	WScript.exe	105
PID 2636 wrote to memory of 2324	2636	WScript.exe	108
PID 2636 wrote to memory of 2324	2636	WScript.exe	108
PID 1924 wrote to memory of 368	1924	wscript.EXE	111
PID 1924 wrote to memory of 368	1924	wscript.EXE	111

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:776

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\temp.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1968 -ip 1968
1⤵
PID:1172

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1968 -s 2084
1⤵
- Program crash
PID:3668

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\temp.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\temp.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\ID.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1'"
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
2555387b9e5f978d2369cf84a72f84f2

SHA1
bd8d9838e3b7e3ec4a4e4388bf56cfddd5d7ddb6

SHA256
b3a2f446a2f03b4718683abbbea6566d4167171e26bc20fe55ae0ba9f61da5e4

SHA512
9bcdf9a04fd1d3ec1650ce35d7f6c9045c0b69011e784c975f243ab4acb05728af67943916e57c2c9305f9d775f66e516dbf8119af89584ce71f371e78964451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1586c8d111a784225ff47434c89c7c0c

SHA1
c14cf6b2d39aeeb5fd9632a7e051af52b79c8c0b

SHA256
940531587fcf6114dd5bf042791d6ccf8f1aa455366edd380f6570e36325bca2

SHA512
5491d7d37c87a3b79be2c20223f6044178599a63a11e936d4e71b836012788291b2b7a9e7404e9317b14dd7e25b37beee5bd83b04ba4a0e46b42377892ac1899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0f33f82a66806c3268810d1941297a36

SHA1
448fc6cbd3c96d8f3d3f70bbf2293a0719eaa00a

SHA256
08c8e7ee736b27762646e536144730718d3ae45ace0c3fec585d9ae4af625aca

SHA512
29c0c8a643b73d2a7267151d1eca1a8447982a4bab86ee680a246af0c2927843b31c8664c3ab94983fff42c3f4386842ebab7a699f5e03cd982b7af0226d81c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e7134d42652dcbaa39e997d70057a12c

SHA1
04a1f503aef09cbfbcb2602cc404e31fa0567e1a

SHA256
84f3237d2536c7e677feb38797c4a9e34bcaeea394b96dba512e3f01067de71a

SHA512
8e5eafd3148cadf6e51b8dcdeb2ae4ffee7b61657a273c73b22f80bf48ae3400c4e51841e46f4914bb8ad2423f08577cc5c4f16532594cd5237da00995b10b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
332B

MD5
0e7fbb2799d2d2fc16ea5ea4c326aa17

SHA1
edafe9ed6bd9faab4f6fb76f2c30696592a94c29

SHA256
d05fffa89929ab037df844933ff7d321717bc5201c174160fe654f1dcf06a2a2

SHA512
f54b6341f67788309b5acf0c662fe41a018ad6b608ed59557a5981b889947a49ce20799704c47741d6141678384e178eb363bb691dbf2aafebadc89e22ff2c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
343e8c39515fd6160eef93ba3258c8e9

SHA1
eaa73a1b22a6bba9bdff8a7782ca028fb4d471b9

SHA256
abdcea65479ac28fb3027e1686d83f37ec21fc864a629a85d2e7f48b0a67e3d4

SHA512
412d3805df8b16d7adb46ee17b80a2fe3e17bb6810eb074e84963ed0aec2f303de1908c6954b05eaf925d46e1621767eb93ad8d634082624f60b804eaf956dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
086371bb8232adb52bdc2f80ca290719

SHA1
c17e61178ebfe90d66e13d2680ae8eaa628bfe4f

SHA256
89e870ab57765978cb866fe02a58388328e06aecee0c22f59c455882a23ab652

SHA512
94f07491d1ef053f83b95776661592b8b47b8049683c3f53e04ce8248c4fdd01e9c6c8937c8847d28865a62ac719f2b5fa79022671222bf4f4d9bc52928b0253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2da79552db00e86468d22fbc99c970e

SHA1
54a06cb71a932e99d3e077b2c0ea516f3a45eb3f

SHA256
888f426c686e69215e57fc22205ecdadc2fbc710d93b778c7e11fe1b67e595eb

SHA512
b162120b9fad26c2950870b8c713166349719edf873779ebd878dbb6552d91bc08617817a0b172d144bc19b463871079ec1dcf6ef0e66b2cd0254a81ccfd45a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1

Filesize
15KB

MD5
a3c14604fb4454ba5722f07f89780e73

SHA1
ed7b9ddbaee794cecb80fac794b0e6cb0ae073b5

SHA256
bda4484bb6325dfccaa464c2007a8f20130f0cf359a7f79e14feeab3faa62332

SHA512
3c70940829620ea283e6830d1ece89efbfb83ffd0278496ba356d37bb2a30ce885a565136f7e7911cd6a6dd8f93190c42418e2fc9e1b0f4d232fffc6260db123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs

Filesize
1KB

MD5
5b5464c5b0643161cb368f7a00900eef

SHA1
8bbb9ae8311ce3c87f478457ca8d3c47677d21ee

SHA256
92765a0cb0953d8df9484b5af79cd9b2e1e6248a7ec23ba0d977ff7082156a01

SHA512
78eb6b9183f447ba59bc41cddbc3d95a076684ba2beacf350dedd01e50dbb5c2c85dfa46aefe55fd7443aef11f606c30ca4a5876a97e4dad0a5925625a6c3995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\temp.ps1

Filesize
11KB

MD5
c3aedb781a5b96674764cd43ef076d10

SHA1
86da0100bb6a07a89eaa4dc3ec220e9dbd6ecf71

SHA256
16007ea6ae7ce797451baec2132e30564a29ee0bf8a8f05828ad2289b3690f55

SHA512
01021427a290a493c80b5c490811bd04f8743978c1b02c5565349a9309808e90f85ae606abdad638c941dd7097f54bc9f849755ad02baab797f1df2aa6032f58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
3e1d2faa2a30d3fc7e190f60cad85d4c

SHA1
8eef9eed63e0446d92edb3d6046ad136fa54338d

SHA256
980c78344e339b6d6b7426aa404841f9325eb219981866f466dbf13ab90ab626

SHA512
a7c868280137eead5c5461f5bc07c58434db89a9b05278eddbcc27a922bcff95150ba38eeacaf2b008c6f8157feef85047293a985c3890c91d6696132440fe0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
616ad38537af6e8d8c8706aebb67fb10

SHA1
55e899c1c9863709b42682713045447267b5c9b1

SHA256
18251425d5e6111ef9404fa20ce676951cff60bf3bb9eec8dd0f52e546c99e92

SHA512
7ed21193ad1de5f905c33e615e1ec1e598ff4f87fe7ce96cc7c8e8cb50a70d9808a0a96536e123750ddd0e4e738aacf7f9521da2d3593019be28be987703ba64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a370dbf3675e4f9cb047f6955e7b9db9

SHA1
f435b4aa84cf15249b7cd041e072902613b8665f

SHA256
91985717ce857887c8da03c95bc7cf6fa15fd1a529bd8bc5ef350d05b4252fca

SHA512
05d228d0f47d562b4f7b158797666fe7b9340342570a1800f356e780664c8a14bc60a6733a9cf52747e7159d4feac080cbc5c70674369bfa6bc2055b52be96fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
01cd648692826ad06b960fb8c2fc1bf6

SHA1
f8873ae13e19777d19bbac20bafb3fd89cc6e009

SHA256
db69ce7537e84b418a3cf6689600503306540989da389ea4f174e0eef22ed827

SHA512
120e93794e5b39abab2aae94b6eef029e88693229fafc117c13c1b30649889e33712a25b1e052345031c56c8cac74055f9dbe9880e9660895db16f741ec7df19

Download Submit
memory/368-169-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/368-172-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/368-170-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/532-142-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-137-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmp

Filesize
64KB

Download
memory/532-144-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-143-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-141-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-133-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-139-0x000001A9244A0000-0x000001A9244A4000-memory.dmp

Filesize
16KB

Download
memory/532-134-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-135-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-138-0x00007FFF15A20000-0x00007FFF15A30000-memory.dmp

Filesize
64KB

Download
memory/532-132-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/532-136-0x00007FFF17CF0000-0x00007FFF17D00000-memory.dmp

Filesize
64KB

Download
memory/1080-165-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/1080-161-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/1080-160-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/2240-182-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/2240-180-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/2240-181-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/2324-168-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-164-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-163-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-147-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-149-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-148-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/4352-146-0x000001F4D3D90000-0x000001F4D3DB2000-memory.dmp

Filesize
136KB

Download
memory/4396-186-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/4396-187-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/4396-188-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/4988-177-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/4988-176-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/4988-175-0x00007FFF38AC0000-0x00007FFF39581000-memory.dmp

Filesize
10.8MB

Download
memory/5048-156-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-155-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-153-0x00007FFF39610000-0x00007FFF3A0D1000-memory.dmp

Filesize
10.8MB

Download