40d26d85ada55202d5cd95bee8cc35d0fcf0c5115227a016a45ab2f284b01189

Analysis

max time kernel
147s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10/03/2023, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
Size

918KB
MD5

2a48228a37fe7bf1cf3f147d07884e30
SHA1

bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96
SHA256

4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4
SHA512

30699f8bc5982e40c3e9e52476b3b96f11ef85cb711c4beece38eba91646f870d0cb92a024adccd6ff4015e18a5a7d20863db0f48e2a295caa088a3a2ba8bf30
SSDEEP

24576:eijfgpFKJM3kEirzajXBJnORbhVjSFoSF4:eSK3Ore7bnAbhVjSFr4

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1796	vkl.exe
1608	vkl.exe

Loads dropped DLL 2 IoCs

pid	Process
1136	cmd.exe
1136	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\VKL-MYD1QO = "\"C:\\Program Files (x86)\\vkl.exe\""	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vkl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\VKL-MYD1QO = "\"C:\\Program Files (x86)\\vkl.exe\""	vkl.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1796 set thread context of 1608	1796	vkl.exe	41

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\vkl.exe	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
File opened for modification	C:\Program Files (x86)\Screenshots	vkl.exe
File opened for modification	C:\Program Files (x86)\Screenshots\time_2023.03.10_12.29.28.png	vkl.exe
File opened for modification	C:\Program Files (x86)\log.txt	vkl.exe
File created	C:\Program Files (x86)\log.txt	vkl.exe
File created	C:\Program Files (x86)\vkl.exe	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1160	schtasks.exe
1260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
772	powershell.exe
1796	vkl.exe
1796	vkl.exe
1796	vkl.exe
1796	vkl.exe
1796	vkl.exe
1796	vkl.exe
1556	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1796	vkl.exe
Token: SeDebugPrivilege	1556	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1608	vkl.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 772	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	28
PID 1092 wrote to memory of 772	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	28
PID 1092 wrote to memory of 772	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	28
PID 1092 wrote to memory of 772	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	28
PID 1092 wrote to memory of 1160	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	30
PID 1092 wrote to memory of 1160	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	30
PID 1092 wrote to memory of 1160	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	30
PID 1092 wrote to memory of 1160	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	30
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1092 wrote to memory of 1812	1092	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	32
PID 1812 wrote to memory of 1480	1812	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	33
PID 1812 wrote to memory of 1480	1812	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	33
PID 1812 wrote to memory of 1480	1812	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	33
PID 1812 wrote to memory of 1480	1812	4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe	33
PID 1480 wrote to memory of 1136	1480	WScript.exe	34
PID 1480 wrote to memory of 1136	1480	WScript.exe	34
PID 1480 wrote to memory of 1136	1480	WScript.exe	34
PID 1480 wrote to memory of 1136	1480	WScript.exe	34
PID 1136 wrote to memory of 1796	1136	cmd.exe	36
PID 1136 wrote to memory of 1796	1136	cmd.exe	36
PID 1136 wrote to memory of 1796	1136	cmd.exe	36
PID 1136 wrote to memory of 1796	1136	cmd.exe	36
PID 1796 wrote to memory of 1556	1796	vkl.exe	37
PID 1796 wrote to memory of 1556	1796	vkl.exe	37
PID 1796 wrote to memory of 1556	1796	vkl.exe	37
PID 1796 wrote to memory of 1556	1796	vkl.exe	37
PID 1796 wrote to memory of 1260	1796	vkl.exe	39
PID 1796 wrote to memory of 1260	1796	vkl.exe	39
PID 1796 wrote to memory of 1260	1796	vkl.exe	39
PID 1796 wrote to memory of 1260	1796	vkl.exe	39
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41
PID 1796 wrote to memory of 1608	1796	vkl.exe	41

C:\Users\Admin\AppData\Local\Temp\4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
"C:\Users\Admin\AppData\Local\Temp\4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FblUSm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FblUSm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2B2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe
  "C:\Users\Admin\AppData\Local\Temp\4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\vkl.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\Program Files (x86)\vkl.exe
        
        "C:\Program Files (x86)\vkl.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FblUSm.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FblUSm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3E5.tmp"
        6⤵
        Creates scheduled task(s)
        
        PID:1260
      - C:\Program Files (x86)\vkl.exe
        
        "C:\Program Files (x86)\vkl.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\log.txt

Filesize
168B

MD5
8419d8938b99ebfba0c3cec006d6e7d1

SHA1
b710e9a8a4bbca2ded14c2128380f08eca9484b5

SHA256
a68e920c38310bcc5090ac9bbb0448484bd305cc28ed3b2ab8048a5dd3b13d5d

SHA512
412ac3b7bc4c15e3af7bc37ea7c9f0f9b20b7935feedf18c46a85d2587b25434207aa4135bc0dad7f6068523cc145cccf82d6c16fdea536b4d221c98c4ebcc6e

Download Submit
C:\Program Files (x86)\vkl.exe

Filesize
918KB

MD5
2a48228a37fe7bf1cf3f147d07884e30

SHA1
bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96

SHA256
4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

SHA512
30699f8bc5982e40c3e9e52476b3b96f11ef85cb711c4beece38eba91646f870d0cb92a024adccd6ff4015e18a5a7d20863db0f48e2a295caa088a3a2ba8bf30

Download Submit
C:\Program Files (x86)\vkl.exe

Filesize
918KB

MD5
2a48228a37fe7bf1cf3f147d07884e30

SHA1
bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96

SHA256
4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

SHA512
30699f8bc5982e40c3e9e52476b3b96f11ef85cb711c4beece38eba91646f870d0cb92a024adccd6ff4015e18a5a7d20863db0f48e2a295caa088a3a2ba8bf30

Download Submit
C:\Program Files (x86)\vkl.exe

Filesize
918KB

MD5
2a48228a37fe7bf1cf3f147d07884e30

SHA1
bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96

SHA256
4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

SHA512
30699f8bc5982e40c3e9e52476b3b96f11ef85cb711c4beece38eba91646f870d0cb92a024adccd6ff4015e18a5a7d20863db0f48e2a295caa088a3a2ba8bf30

Download Submit
C:\Program Files (x86)\vkl.exe

Filesize
918KB

MD5
2a48228a37fe7bf1cf3f147d07884e30

SHA1
bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96

SHA256
4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

SHA512
30699f8bc5982e40c3e9e52476b3b96f11ef85cb711c4beece38eba91646f870d0cb92a024adccd6ff4015e18a5a7d20863db0f48e2a295caa088a3a2ba8bf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
382B

MD5
b9a41fbe2abb9d375cfd1a276fcce1a4

SHA1
22459b02ac9221287ce93e823dbdc2344c2cd02d

SHA256
d002bab0115b6e6b14afcc42fbb70245827651e6fc0850dd4473fbe5bd737edf

SHA512
fa4ef885ac4a67878cf929f387ea7952f94870b2f6d83a4cab9743e571f83423d5fece1d8a1ad2e1096c091cbbf7b781a380538f9335285a1bfcc4a230add7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3E5.tmp

Filesize
1KB

MD5
ddaad1451ca2bcb556eb9af5ef449461

SHA1
e58246c0515ee39f31d497c2214f32dba368949c

SHA256
2d03365b1cf623205b85f7bbe6e71b115a8356618f05458cd0a29860210f9355

SHA512
67d79496420170a5ebbb79cc37c0d0327f0989f47c5060cc149b3455c646903054ca3355a354710e6b32272cee684ea3dee36332526570f593f6af377c6d0129

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE2B2.tmp

Filesize
1KB

MD5
ddaad1451ca2bcb556eb9af5ef449461

SHA1
e58246c0515ee39f31d497c2214f32dba368949c

SHA256
2d03365b1cf623205b85f7bbe6e71b115a8356618f05458cd0a29860210f9355

SHA512
67d79496420170a5ebbb79cc37c0d0327f0989f47c5060cc149b3455c646903054ca3355a354710e6b32272cee684ea3dee36332526570f593f6af377c6d0129

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0O2EOC2FJRUFM1YCUOYW.temp

Filesize
7KB

MD5
b5457cd0546156b2a13f75a380e378bb

SHA1
8f6df06dba6989451d9d5106df47db2e7e0a3e37

SHA256
055c3b45ab6eb9a77bfb4cca386b1b28193226a4b2a6d5bf3c22ba3e3e77be69

SHA512
8fcce0a2086b78ff5be96be602fa657ce41752d5c0d621a12b00ad0dec27757186db926705d56436c7fe6770f9059599d88b498c31c22d96add3db33caccc506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b5457cd0546156b2a13f75a380e378bb

SHA1
8f6df06dba6989451d9d5106df47db2e7e0a3e37

SHA256
055c3b45ab6eb9a77bfb4cca386b1b28193226a4b2a6d5bf3c22ba3e3e77be69

SHA512
8fcce0a2086b78ff5be96be602fa657ce41752d5c0d621a12b00ad0dec27757186db926705d56436c7fe6770f9059599d88b498c31c22d96add3db33caccc506

Download Submit
\Program Files (x86)\vkl.exe

Filesize
918KB

MD5
2a48228a37fe7bf1cf3f147d07884e30

SHA1
bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96

SHA256
4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

SHA512
30699f8bc5982e40c3e9e52476b3b96f11ef85cb711c4beece38eba91646f870d0cb92a024adccd6ff4015e18a5a7d20863db0f48e2a295caa088a3a2ba8bf30

Download Submit
\Program Files (x86)\vkl.exe

Filesize
918KB

MD5
2a48228a37fe7bf1cf3f147d07884e30

SHA1
bb6a32c77ceb6d5b2c32731b0109c177c7aa6d96

SHA256
4c988891326eea9e5fe8aeaa93ffb3f7001bd3cda048a72ab24c8b54dd1834e4

SHA512
30699f8bc5982e40c3e9e52476b3b96f11ef85cb711c4beece38eba91646f870d0cb92a024adccd6ff4015e18a5a7d20863db0f48e2a295caa088a3a2ba8bf30

Download Submit
memory/772-84-0x0000000001DA0000-0x0000000001DE0000-memory.dmp

Filesize
256KB

Download
memory/772-85-0x0000000001DA0000-0x0000000001DE0000-memory.dmp

Filesize
256KB

Download
memory/1092-67-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/1092-55-0x0000000001D70000-0x0000000001DB0000-memory.dmp

Filesize
256KB

Download
memory/1092-56-0x0000000001DB0000-0x0000000001DCA000-memory.dmp

Filesize
104KB

Download
memory/1092-57-0x0000000001D70000-0x0000000001DB0000-memory.dmp

Filesize
256KB

Download
memory/1092-58-0x0000000001D60000-0x0000000001D6E000-memory.dmp

Filesize
56KB

Download
memory/1092-54-0x0000000000850000-0x000000000093C000-memory.dmp

Filesize
944KB

Download
memory/1092-59-0x0000000005D00000-0x0000000005DA0000-memory.dmp

Filesize
640KB

Download
memory/1556-112-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/1608-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-115-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-114-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1608-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-92-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1796-91-0x0000000004D80000-0x0000000004DC0000-memory.dmp

Filesize
256KB

Download
memory/1796-90-0x0000000000BA0000-0x0000000000C8C000-memory.dmp

Filesize
944KB

Download
memory/1812-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1812-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-69-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1812-75-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download