0c52f70b4c340274208310ef1c9c09eee3124fb58063aee0c010a9645e417650

Resubmissions

30-04-2024 10:29

240430-mjb7fshh74 10

26-04-2024 02:29

240426-cytpyahd23 10

26-04-2024 02:23

240426-cvm3zshc82 10

25-04-2024 03:51

240425-eekn2aeg39 10

Analysis

max time kernel
104s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document.doc.scr
Size

194KB
MD5

50e5dec57451005668704281688ca55d
SHA1

67dd4ac7eb8c193b39149b34d3a0d5bc21c3f200
SHA256

062683257386c9e41a1cd1493f029d817445c37f7c65386d54122fa466419ce1
SHA512

29ca4a44795c71d3e2b4e3417355ebb93765157d464d6d5a3fe6774056d934d57081c72001fb29e47982da11e5a5ccfdbcc958d05a11fb49bd8bf84e6d0c61ad
SSDEEP

3072:66glyuxE4GsUPnliByocWepRGbVZqid91h2ys+tU:66gDBGpvEByocWeubV4inP9B

Score

9^/10

ransomware spyware stealer

Malware Config

Signatures

Renames multiple (606) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

6A63.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 6A63.tmp
Deletes itself 1 IoCs

Processes:

6A63.tmp

pid process

3708 6A63.tmp
Executes dropped EXE 1 IoCs

Processes:

6A63.tmp

pid process

3708 6A63.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	6A63.tmp

Drops desktop.ini file(s) 2 IoCs

Processes:

Document.doc.scr

description	ioc	process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\desktop.ini	Document.doc.scr
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\desktop.ini	Document.doc.scr

Drops file in System32 directory 4 IoCs

Processes:

splwow64.exeprintfilterpipelinesvc.exe

description	ioc	process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPcw7yj11md3481pb_75659n72b.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP0zp08ixt4yvd3f0v13olt1w3.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PPse8j3qm9zww30wi9vkkfqjxmc.TMP	printfilterpipelinesvc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Document.doc.scr

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Qs2QSInbk.bmp"	Document.doc.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Document.doc.scr6A63.tmp

pid process

4788 Document.doc.scr
4788 Document.doc.scr
4788 Document.doc.scr
4788 Document.doc.scr
3708 6A63.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ONENOTE.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE

Modifies Control Panel 2 IoCs

evasion

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop	Document.doc.scr
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\Desktop\WallpaperStyle = "10"	Document.doc.scr

Modifies registry class 5 IoCs

Processes:

Document.doc.scr

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Qs2QSInbk\ = "Qs2QSInbk"	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon	Document.doc.scr
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk	Document.doc.scr
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qs2QSInbk\DefaultIcon\ = "C:\\ProgramData\\Qs2QSInbk.ico"	Document.doc.scr

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

ONENOTE.EXE

pid process

3456 ONENOTE.EXE
3456 ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Document.doc.scr

pid	process
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr
4788	Document.doc.scr

Suspicious behavior: RenamesItself 26 IoCs

Processes:

6A63.tmp

pid	process
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp
3708	6A63.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Document.doc.scr

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeDebugPrivilege	4788	Document.doc.scr
Token: 36	4788	Document.doc.scr
Token: SeImpersonatePrivilege	4788	Document.doc.scr
Token: SeIncBasePriorityPrivilege	4788	Document.doc.scr
Token: SeIncreaseQuotaPrivilege	4788	Document.doc.scr
Token: 33	4788	Document.doc.scr
Token: SeManageVolumePrivilege	4788	Document.doc.scr
Token: SeProfSingleProcessPrivilege	4788	Document.doc.scr
Token: SeRestorePrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSystemProfilePrivilege	4788	Document.doc.scr
Token: SeTakeOwnershipPrivilege	4788	Document.doc.scr
Token: SeShutdownPrivilege	4788	Document.doc.scr
Token: SeDebugPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeBackupPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr
Token: SeSecurityPrivilege	4788	Document.doc.scr

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

ONENOTE.EXE

pid	process
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE
3456	ONENOTE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Document.doc.scrprintfilterpipelinesvc.exe6A63.tmp

description	pid	process	target process
PID 4788 wrote to memory of 5036	4788	Document.doc.scr	splwow64.exe
PID 4788 wrote to memory of 5036	4788	Document.doc.scr	splwow64.exe
PID 4368 wrote to memory of 3456	4368	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 4368 wrote to memory of 3456	4368	printfilterpipelinesvc.exe	ONENOTE.EXE
PID 4788 wrote to memory of 3708	4788	Document.doc.scr	6A63.tmp
PID 4788 wrote to memory of 3708	4788	Document.doc.scr	6A63.tmp
PID 4788 wrote to memory of 3708	4788	Document.doc.scr	6A63.tmp
PID 4788 wrote to memory of 3708	4788	Document.doc.scr	6A63.tmp
PID 3708 wrote to memory of 4020	3708	6A63.tmp	cmd.exe
PID 3708 wrote to memory of 4020	3708	6A63.tmp	cmd.exe
PID 3708 wrote to memory of 4020	3708	6A63.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Document.doc.scr
"C:\Users\Admin\AppData\Local\Temp\Document.doc.scr" /S
1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:5036
- C:\ProgramData\6A63.tmp
  "C:\ProgramData\6A63.tmp"
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\6A63.tmp >> NUL
    3⤵
    PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2844

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{32F5B5A4-115C-42F9-BF00-47E1DC66CC00}.xps" 133589465807560000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-877519540-908060166-1852957295-1000\desktop.ini

Filesize
129B

MD5
55262c1fb99007c3e189500ac7059896

SHA1
e9309e677dc5bf5d8d03d63a106161d2a8fc7a0d

SHA256
942362e1b9fc6fcd86d5e0da22db1881b3be396b6ec1def809d8b552f07eda0c

SHA512
8e57e94ec731a2ef04b586038dd42ab77d3b22573978aa0e1cb8a726e69ad9dce00a11fbd92cda386814353ff2bda94afb89a84a532d77ec1ca7e9ae15ec425f

Download Submit
C:\ProgramData\6A63.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
C:\Qs2QSInbk.README.txt

Filesize
434B

MD5
ad29bd8c66e114ff57c943d16c78f72a

SHA1
5ab070ee89a36f38facae4dfc8ec5ce3e59af46e

SHA256
6fe668fe8bf69158d1fd08e90f3cff60c1df410bf752635bf152853b6112549c

SHA512
a53121e2379aa9c3bc52d073498a54f26383834f6d6636b4b3831010565c80bf0da07511907eab7bd92f9796e559958b1c0ebea4c4b0f0d869e95b7deb5da7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{32F5B5A4-115C-42F9-BF00-47E1DC66CC00}.xps

Filesize
13.1MB

MD5
274fb44bd8afcc5875240b1163d5fbee

SHA1
db9905c64613b09c8117a15ce61b14f63961634d

SHA256
b4515fa1ffd2853fa82e4b53b22fa0f9128288777b0dde616c498adf21d51e19

SHA512
4a2bc4502d78332f300b3a47121f7ee51b50a851c5acac30b61730408907b741805aa1e0458e4d968da91dffbdf1a1dc8e59da00ad5e4451b0b2020c159aee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEEEEEEEEEEEEEE

Filesize
194KB

MD5
b6dbc8e8b47f5227a6cd99e8e5c1ce7c

SHA1
59f6a5efcc5ed4ac84183d4eddb3c033b86d9db4

SHA256
56bde961daf56a08a2ec5dbde3cf24158e15a99cbf8474e0dc016436580ed666

SHA512
fb1f083023f128d5095f7ea74c58c0bead048a24f4566bdafdc4de136839c8de4bc756758d0d152b6033dab1aa23962e6574d0bcb896ffd0f3b6192ece846e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B359653-BDB0-4AE2-84E8-EE999821058D}

Filesize
4KB

MD5
2a13d363d068d897358b256795054386

SHA1
0f7482310b0dd554b494b3f2d0d9aa758134ac36

SHA256
f6184e071e573bb83a1374bce096304886e03b92f786e74dbe5d1c26641eb8d2

SHA512
47b6bcafb94ad2df75ce83cc49ba35e275168d6cd16645892814a407c33b9375f5dfaa3f1b099f8ba5f514f3d64d97be33908689ca475b2d1d927c60799a845e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{79666AAD-2141-432E-87D2-486BDADACA70}

Filesize
4KB

MD5
f8d490e9cb57d0594896a11f0320982d

SHA1
85df2070f1cd8666e568b3c004ca25bca5efc4aa

SHA256
01d627a0ce1111e978cbc549a0090ee4dbf969a2e7ccfa16324ccc1752683313

SHA512
40391ca7230b32191590b9a87b3f2e62c962db55ccd78560aed8688c835791f1e3307d503f54ac3d0c79a28da7a2754c17655a5bdcc46ae7248c564b00155b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2

Filesize
4KB

MD5
da236c27737e6c1b256658e951e4543b

SHA1
77ce3920c911ffe1b7d7ed9f140d31f50e30d32e

SHA256
783ac41ef49d82993615e3a2dcb4ededc19bd2fed35e78f9ee724d0b149442f4

SHA512
d51bb1f991aaaafb2dd8517caa645021b167f411486a6fdcf0f8c684fb8c059f2acf3c23823172130ff9f0979b94e35e27ba358a6212f8e112c41cc1d019f545

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\DDDDDDDDDDD

Filesize
129B

MD5
dd3cdb52586c71dde31bad9b50fe13bc

SHA1
f41bffe0eff1c1ba5593837efff6d19b874aa446

SHA256
bd70a51c816d3b42a07c33665668af3a8692198ada96f592542c7095139128b9

SHA512
bde251af9697c60f9a9833d0fbc0ca2fbb9f9d6da154358d93e14ca5b5bc6bc01e1dc5542848c48dd722576ad2d36368ced6c730885bd4ca8f2ce7f4536573de

Download Submit
memory/3456-2797-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2940-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2799-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2833-0x00007FFAC8F40000-0x00007FFAC8F50000-memory.dmp

Filesize
64KB

Download
memory/3456-2834-0x00007FFAC8F40000-0x00007FFAC8F50000-memory.dmp

Filesize
64KB

Download
memory/3456-2798-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2801-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2942-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2943-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2941-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/3456-2803-0x00007FFACB870000-0x00007FFACB880000-memory.dmp

Filesize
64KB

Download
memory/4788-2-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4788-0-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download
memory/4788-1-0x0000000002980000-0x0000000002990000-memory.dmp

Filesize
64KB

Download