8c278b732a5ab1bd699cfa7b4fcdd1868f686779a9ff66d43b6834baac3547df

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

订单信息.pdf_.exe
Size

6.7MB
MD5

95decb42f6e1e72bcd71a2965f789217
SHA1

a0e338d3492618486b872b7967e79572611de6da
SHA256

8c278b732a5ab1bd699cfa7b4fcdd1868f686779a9ff66d43b6834baac3547df
SHA512

8d33d0aaf8acb0d0aefd4ad723f674945638ab6e11c1f41f1e748f6d9120e23d16d99856204228f8cd012b7d812a9da58a28fc1d03254ecf33bb211dc2c7c749
SSDEEP

98304:Z3i51vCbt/lQKBErje9G7J7GdiuJ67nDezL:pBNQV/sSuIDezL

Score

5^/10

discovery ransomware

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bg.png"	订单信息.pdf_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132253"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CF125BA2-7650-11EF-9A03-C61537EC8B44} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20ae11a45d0adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30f30ca45d0adb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f945ed72d44d3489ac9a36be9e2e8b10000000002000000000010660000000100002000000042a2f3eabb79e7aac25b7f3418f5ffd761127ac9491ecffc8389f84ae585f873000000000e80000000020000200000007b47dfe7fef1d203929234bb372011c68fa8a20d00d979c40e0802b25125126520000000b2d7b64c5f10c2b7a8e923155446d37e47263eb63d3d0568c6c0cd0e1faa490b4000000094027039bda8df3e1f9fb481022614a630f8a8f21c471d4eada56191c2f0e44e0b3f485220c1b78a0490c589b9c0b7b4017b86b0b28923f19fc7dbf9d4e02a30	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2742175421"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003f945ed72d44d3489ac9a36be9e2e8b100000000020000000000106600000001000020000000dd2d381d9f359997f8f5769cd350f9c5a3ae454e4c3da973e581b02d383f4a89000000000e80000000020000200000006277e119e68ef52d95bc1dd46fd740a11f90c4d6778a46e5f231a25b6751f8da20000000c83c7eb39b7ee5f10ce2fe0621891dc1237f02e910112c01e3f96854ee826ab340000000bfe13baeebe118b04244dc9290c13baa2d327e0fe1474314b1032767adedb3ed7f7af82c650c53af924028cca23251ffa7c9076b9dd3240aa1654e5d91c2ecbb	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2742175421"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132253"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	mspaint.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1724	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
2300	WINWORD.EXE
2300	WINWORD.EXE
5028	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1180	mspaint.exe
1180	mspaint.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4732	iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
2300	WINWORD.EXE
1180	mspaint.exe
4336	OpenWith.exe
4732	iexplore.exe
4732	iexplore.exe
4348	IEXPLORE.EXE
4348	IEXPLORE.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE
5028	EXCEL.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 184 wrote to memory of 3680	184	订单信息.pdf_.exe	86
PID 184 wrote to memory of 3680	184	订单信息.pdf_.exe	86
PID 4732 wrote to memory of 4348	4732	iexplore.exe	103
PID 4732 wrote to memory of 4348	4732	iexplore.exe	103
PID 4732 wrote to memory of 4348	4732	iexplore.exe	103

C:\Users\Admin\AppData\Local\Temp\订单信息.pdf_.exe
"C:\Users\Admin\AppData\Local\Temp\订单信息.pdf_.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:184
- C:\Windows\system32\rundll32.exe
  rundll32 url.dll,FileProtocolHandler C:\Users\Admin\AppData\Local\Temp\bg.png
  2⤵
  PID:3680

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\WriteUnblock.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DismountWait.jpe" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:4588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ExpandMerge.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4732 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4348

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SubmitAssert.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnlockRestore.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
53d4c6f01cd4faeaa3dfec9ad615e9b0

SHA1
5736998cdd7aab5b6b2bb7dfa20552c70038c650

SHA256
b48cb632fb556e515d60f94513bcdb3c68614fd649ef930edf9e62fa50044c66

SHA512
9c0e0ab13bc3cbbb9468c4b2293da95b32a1ffa26e8c1ab058943df761c8b5306537c7ed05a4503a5c4977c4bbe8d7decf624ba3992d8a10ef4270e27fb55b5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
60f09641d4360fb49b781fc240911148

SHA1
b652aa83f6cde6856dab720175fb9779ab97da1a

SHA256
b248d029e47d79100bbb9dc8343358b8ac8f2ba3a42ff72aefdcc09b5e3a70ee

SHA512
aab117d1a486cd9c7bd01eca7267331d0408e52e2f4aa77686935a7e4a4475360118abc6900f13c07aaa6148c7e867f78d8679995cd18ab2ff4d7fb26111dea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\582AAA16-B3FD-46A1-93E2-BEABE8E22387

Filesize
171KB

MD5
8f70cc58f159147da811090be5262965

SHA1
4a9712e8a15fcfb5f3bfc80bcdda70807c8c6f07

SHA256
d70f55e5078e9133f928d04b24caf751ec4fdf95aa594903d1690f64abedd73b

SHA512
411722022ecfafc330bde099f56d8a0a2de2e1b2bc32146864195f54f167cf8b575d1e5338cde2abd31cd113dd64ca309f8af79d97c18a4bc9d46abdb742243e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
400e0517feeb022cee06449307896214

SHA1
ad3417c423b4b34c36db23e039d5a8f2cf33e869

SHA256
1ccaa6a5b6c63c25902c1dda755b6135e8199f6b5a0fc4d8f8a1370d27eca88a

SHA512
1669d9e458b5a7dc0827c0fccae590a2c23d3ea696e320980d9467895323fadc4a46a00f89d7942db64f059fbf6ad14d1785f6308ff313ae897c4e554252395e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
94042fed8fef8d3f9979ceace9685154

SHA1
9626b2be5fdc22cbd09261b3d1ba246fa05ba3ef

SHA256
db74ca5f3a5f508a5ca30b08bdbe5b632c8b01e7972f347d2efd468ead9dc13f

SHA512
4792299b1f169b93304a70fa23b53891a55dcaed34b618d9d24f9b5aac61ae4f379db3ab02a68ce8b1d5354d99e04ad8105aedcf76a31bd757680a8ac26d86cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
292B

MD5
4f5dadf9649f21d712e9ccde6ce2455a

SHA1
d38844bf3f108ca118fd2efc1b962f606d598c01

SHA256
aac4923632d85a5874a8e7603f63646eaeaa15f4ca03ff900756c045747dfd5d

SHA512
2e26551c55abea684106e48595c338c3fe8ef1b8f99a223f4abfe2310a3dda72ba0b053df219d556ba84e6f56526209ff78cb87a145a0889075707b82bcd42c9

Download Submit
memory/2300-20-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-61-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-5-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-3-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-7-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-6-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-10-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-12-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-11-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-9-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-8-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-13-0x00007FF965280000-0x00007FF965290000-memory.dmp

Filesize
64KB

Download
memory/2300-14-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-17-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-18-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-16-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-15-0x00007FF965280000-0x00007FF965290000-memory.dmp

Filesize
64KB

Download
memory/2300-19-0x00007FF9A76B0000-0x00007FF9A78A5000-memory.dmp

Filesize
2.0MB

Download
memory/2300-2-0x00007FF9A774D000-0x00007FF9A774E000-memory.dmp

Filesize
4KB

Download
memory/2300-58-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-59-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-60-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-57-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-4-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/2300-1-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/4588-66-0x00000202009C0000-0x00000202009D0000-memory.dmp

Filesize
64KB

Download
memory/4588-73-0x0000020209510000-0x0000020209511000-memory.dmp

Filesize
4KB

Download
memory/4588-75-0x0000020209590000-0x0000020209591000-memory.dmp

Filesize
4KB

Download
memory/4588-77-0x0000020209590000-0x0000020209591000-memory.dmp

Filesize
4KB

Download
memory/4588-78-0x0000020209620000-0x0000020209621000-memory.dmp

Filesize
4KB

Download
memory/4588-79-0x0000020209620000-0x0000020209621000-memory.dmp

Filesize
4KB

Download
memory/4588-80-0x0000020209630000-0x0000020209631000-memory.dmp

Filesize
4KB

Download
memory/4588-62-0x0000020200980000-0x0000020200990000-memory.dmp

Filesize
64KB

Download
memory/4588-81-0x0000020209630000-0x0000020209631000-memory.dmp

Filesize
4KB

Download
memory/5028-124-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-126-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-90-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-92-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-93-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-94-0x00007FF965280000-0x00007FF965290000-memory.dmp

Filesize
64KB

Download
memory/5028-95-0x00007FF965280000-0x00007FF965290000-memory.dmp

Filesize
64KB

Download
memory/5028-125-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-91-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-127-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download
memory/5028-89-0x00007FF967730000-0x00007FF967740000-memory.dmp

Filesize
64KB

Download