cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 19:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe
Size

191KB
MD5

0f59a92a741c75589d649af26b7c0920
SHA1

7c42edba2f2a764ee1051397acb24564aedb5c5c
SHA256

cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c
SHA512

3ecb19e2a76bbf34d4443466c49b4c672ec22431c5c04ff8a414cb31d1cf42fef2f96c574226d2a326fa2712c70f01264a9052d35a8ccc8e583520a85ae3dc39
SSDEEP

3072:dBI5ArKGCnhgU1XA+ArXjeaMoh6lgUaVwQ+/76bSSN+PS7VyoCeJ6ik+wZ:dK5ArKjbAxXSaegUqGeGpBohM+w

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3732	bitshone.exe
884	appiofmt.exe
4720	~743B.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\atpact = "C:\\Users\\Admin\\AppData\\Roaming\\MuiUName\\bitshone.exe"	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\appiofmt.exe	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4760	WINWORD.EXE
4760	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3732	bitshone.exe
3732	bitshone.exe
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
2824	Explorer.EXE
884	appiofmt.exe
2824	Explorer.EXE
2824	Explorer.EXE
884	appiofmt.exe
884	appiofmt.exe
884	appiofmt.exe
2824	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2824	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE
Token: SeShutdownPrivilege	2824	Explorer.EXE
Token: SeCreatePagefilePrivilege	2824	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	Explorer.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
4760	WINWORD.EXE
2824	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 3732	4332	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe	80
PID 4332 wrote to memory of 3732	4332	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe	80
PID 4332 wrote to memory of 3732	4332	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe	80
PID 3732 wrote to memory of 4720	3732	bitshone.exe	82
PID 3732 wrote to memory of 4720	3732	bitshone.exe	82
PID 4720 wrote to memory of 2824	4720	~743B.tmp	34
PID 4332 wrote to memory of 4760	4332	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe	83
PID 4332 wrote to memory of 4760	4332	cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe	83

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2824
- C:\Users\Admin\AppData\Local\Temp\cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe
  "C:\Users\Admin\AppData\Local\Temp\cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Roaming\MuiUName\bitshone.exe
    "C:\Users\Admin\AppData\Roaming\MuiUName\bitshone.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Users\Admin\AppData\Local\Temp\~743B.tmp
      "C:\Users\Admin\AppData\Local\Temp\~743B.tmp"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4720
- - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\~7479.tmp.docx" /o ""
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    PID:4760

C:\Windows\SysWOW64\appiofmt.exe
C:\Windows\SysWOW64\appiofmt.exe -k
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~743B.tmp

Filesize
6KB

MD5
ff053a55b94eee15b8795aca061e5cfa

SHA1
a6a571433fbb1fa68eb7b8b1075f7545e9de0aca

SHA256
6f65c6a367f1a2b480421d0f7eac5a87e310ad4090d3754bf3b591e64326a779

SHA512
a02e044f57bd8b6bc44e47957c10a29c7adef1b2fc0a77208d5137b27a6cd517e0b6d3588cc40bfe2dd17b77d80b0bb0cc95273eeefdfac1cbae8d654d2d9f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~743B.tmp

Filesize
6KB

MD5
ff053a55b94eee15b8795aca061e5cfa

SHA1
a6a571433fbb1fa68eb7b8b1075f7545e9de0aca

SHA256
6f65c6a367f1a2b480421d0f7eac5a87e310ad4090d3754bf3b591e64326a779

SHA512
a02e044f57bd8b6bc44e47957c10a29c7adef1b2fc0a77208d5137b27a6cd517e0b6d3588cc40bfe2dd17b77d80b0bb0cc95273eeefdfac1cbae8d654d2d9f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7479.tmp.docx

Filesize
16KB

MD5
ff0b548839422cda08a614f0a1952731

SHA1
721a6644c463655a1a0653c4297a5b9732259bf8

SHA256
abac053945ffd817b661aecf6ba8e5ea5c862f2c3f3f10c909f5361c0b38de91

SHA512
9cdf3105b902de995b5e411fd552227a461dab061a861f8bb44ae9e89fe1430c8ca44e4b3af1aee400df94d7e3a3b826b01e292a57381943ce64ceb5c9141a3a

Download Submit
C:\Users\Admin\AppData\Roaming\MuiUName\bitshone.exe

Filesize
172KB

MD5
cd9d5b902e6abd56f353e9a82db011d5

SHA1
f1b3c65efff6eefa69569c5bc4e6d8570eebaa2a

SHA256
c51d97971a43bd460e302a830512040c81974f0ab33375d93f2c417c44e5191f

SHA512
bc0cd93a576281bdc903a3720f410884e6a686be34c8d695ce5b2256f708f0b3e2ff84ef4e8bb1dd65088c44bf1d14b241c74c04522e7098acc27e1ba628f2fe

Download Submit
C:\Users\Admin\AppData\Roaming\MuiUName\bitshone.exe

Filesize
172KB

MD5
cd9d5b902e6abd56f353e9a82db011d5

SHA1
f1b3c65efff6eefa69569c5bc4e6d8570eebaa2a

SHA256
c51d97971a43bd460e302a830512040c81974f0ab33375d93f2c417c44e5191f

SHA512
bc0cd93a576281bdc903a3720f410884e6a686be34c8d695ce5b2256f708f0b3e2ff84ef4e8bb1dd65088c44bf1d14b241c74c04522e7098acc27e1ba628f2fe

Download Submit
C:\Windows\SysWOW64\appiofmt.exe

Filesize
191KB

MD5
0f59a92a741c75589d649af26b7c0920

SHA1
7c42edba2f2a764ee1051397acb24564aedb5c5c

SHA256
cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c

SHA512
3ecb19e2a76bbf34d4443466c49b4c672ec22431c5c04ff8a414cb31d1cf42fef2f96c574226d2a326fa2712c70f01264a9052d35a8ccc8e583520a85ae3dc39

Download Submit
C:\Windows\SysWOW64\appiofmt.exe

Filesize
191KB

MD5
0f59a92a741c75589d649af26b7c0920

SHA1
7c42edba2f2a764ee1051397acb24564aedb5c5c

SHA256
cfff403cc6fbd08e1ce65e63ebdf32bd8b7b11c3d0ec09ac8fe0dfd7d5c1cf4c

SHA512
3ecb19e2a76bbf34d4443466c49b4c672ec22431c5c04ff8a414cb31d1cf42fef2f96c574226d2a326fa2712c70f01264a9052d35a8ccc8e583520a85ae3dc39

Download Submit
memory/884-141-0x0000000000DD0000-0x0000000000E12000-memory.dmp

Filesize
264KB

Download
memory/2824-184-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-164-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-142-0x0000000002420000-0x0000000002461000-memory.dmp

Filesize
260KB

Download
memory/2824-201-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/2824-200-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/2824-199-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2824-198-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2824-197-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2824-196-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/2824-195-0x00000000028A0000-0x00000000028B0000-memory.dmp

Filesize
64KB

Download
memory/2824-194-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-193-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-192-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-191-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-190-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-187-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-157-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-158-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-159-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-163-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-162-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-161-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-160-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-168-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-167-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-166-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-172-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-171-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-170-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-169-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-165-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-189-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-176-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2824-175-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2824-177-0x0000000007C80000-0x0000000007C90000-memory.dmp

Filesize
64KB

Download
memory/2824-174-0x0000000007C50000-0x0000000007C60000-memory.dmp

Filesize
64KB

Download
memory/2824-173-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-178-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-179-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-180-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-182-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-181-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-183-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-188-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-185-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/2824-186-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

Filesize
64KB

Download
memory/4332-132-0x0000000000810000-0x0000000000852000-memory.dmp

Filesize
264KB

Download
memory/4760-156-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-154-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-153-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-155-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-150-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmp

Filesize
64KB

Download
memory/4760-149-0x00007FF9DE600000-0x00007FF9DE610000-memory.dmp

Filesize
64KB

Download
memory/4760-148-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-147-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-146-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-145-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download
memory/4760-144-0x00007FF9E06B0000-0x00007FF9E06C0000-memory.dmp

Filesize
64KB

Download