djvu | 6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588

Analysis

max time kernel
136s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
10/09/2023, 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe
Size

714KB
MD5

7d30d9099185aa1cdc8f0333d3146328
SHA1

b20a4e31e2e083a9e32a295335d9dfbaa7d09b52
SHA256

6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588
SHA512

8ab4c5609caae39b96ef5ee7a2bb2486a6378aa2c09434048e7ad1f033cb5637964e47bc9468e679c5cdb594e2ae295cfffdb9c9fea8b712e828ed325c3480fc
SSDEEP

12288:1vPYvKbTw+/AIEVSBGrKsVBFvPFacNklptLDSKy4XtFjACfkle3x8z:1vcKvw+oII6GVBFvPF7wtXAMweh

Score

10^/10

djvu discovery persistence ransomware

Malware Config

Extracted

Family

djvu

http://zexeq.com/test2/get.php

Attributes

extension
.hgfu
offline_id
Nk8w6hJsuGrE3s2SYWM3ehMUHvjgVRqqgX84dat1
payload_url
http://colisumy.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iTbDHY13BX Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0779JOsie

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 9 IoCs

resource	yara_rule
behavioral1/memory/1172-1-0x0000000004360000-0x000000000447B000-memory.dmp	family_djvu
behavioral1/memory/2912-2-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2912-3-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2912-5-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2912-6-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2912-15-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4852-19-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4852-20-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4852-22-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3076	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0bffd6b0-eb60-4b35-b3f1-271e3770c149\\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe\" --AutoStart"	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	api.2ip.ua
10	api.2ip.ua

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{942F6C7F-84B7-42E5-BD18-E2D22221ED07}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 572 set thread context of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1016	4852	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe
2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3864	svchost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 1172 wrote to memory of 2912	1172	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	87
PID 2912 wrote to memory of 3076	2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	89
PID 2912 wrote to memory of 3076	2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	89
PID 2912 wrote to memory of 3076	2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	89
PID 2912 wrote to memory of 572	2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	90
PID 2912 wrote to memory of 572	2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	90
PID 2912 wrote to memory of 572	2912	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	90
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93
PID 572 wrote to memory of 4852	572	6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe
"C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe
  "C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\0bffd6b0-eb60-4b35-b3f1-271e3770c149" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe
    "C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe
      "C:\Users\Admin\AppData\Local\Temp\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 568
        5⤵
        Program crash
        
        PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4852 -ip 4852
1⤵
PID:5044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:2836

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\0bffd6b0-eb60-4b35-b3f1-271e3770c149\6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588.exe

Filesize
714KB

MD5
7d30d9099185aa1cdc8f0333d3146328

SHA1
b20a4e31e2e083a9e32a295335d9dfbaa7d09b52

SHA256
6306d65921ec09c3c65c4eba2ae644187b39997c1b422dc731264a827e812588

SHA512
8ab4c5609caae39b96ef5ee7a2bb2486a6378aa2c09434048e7ad1f033cb5637964e47bc9468e679c5cdb594e2ae295cfffdb9c9fea8b712e828ed325c3480fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuEAFC.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
aafebb8e3dff8490caf8a069f26bc5df

SHA1
5c93d77aa81e87ab151de586abb7024a6acf1d6c

SHA256
674fd1b4546280904170ab5bdbb7238b303f268e4551d205b0e82f1d1bda25af

SHA512
41e985ac79a608dac0f1ba27c9a19ad46e261063d4eb2c75a74fc402106905cb97092e20fa73b10c2a86bbf99b8b5c65a634efae8c2d8eddaa6eb1e5b5246ebd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
7a5bc5ee7a1299d2390e8f44c5e5b585

SHA1
bdcc8dffdd99568c40efea7fe5304b2d9df0926c

SHA256
b46c2c8f6e599aedbb64c4f260c39d538a032c084473f85063510bb1a86a1518

SHA512
fd112afd58dffa1812fa650fa19c2123ed2a8213b40a29cd33dd6764bc44ab9a7bd200755e85bc8b753da4e6f1303ac637ec3225b80ffb156aad6a1189a70b54

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
19a760d9eb53571886e3f294a008c8c0

SHA1
b8e5b02745f2f6d44c2b34039b4864ceba94b6d0

SHA256
f237436075d2c25296d1cac0aabcc599950fa8bcfef9d0f0a8da33d9841870ec

SHA512
74d2f4da4a4cec7b19164c692b24f7dcd90a5c4b271b8e22a013e381b821c60e22b7bb6db2ccb018cf70f07671c868419f9d42f3664979ce0055c56bbbdd610d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
a2e8130fe790d652e1767815014f6fbe

SHA1
c8b1fc1b6457deacfe4984d00645bd5c70b983ae

SHA256
db846115d8d5d548df8599d1c9b7ea0ffa8fec4729c41bbad5402f113f34e08a

SHA512
a31ee6eac192c2af7404cdff1e26ee067f8ce8eb67ae42ea4c9ea883ef17db5e6c4e82357bfaea483cb6dca62cc6e2a6ed60c28a4b7bdeb431915bca9b014124

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
abfa2ad1679a2e643a032710ccebe557

SHA1
22268da7bffb529339a6a10ef0e2a56909ae6d73

SHA256
54c9bd4b39645ac97c800687365676dd897a7d64a6c4a843e32e1cd6002d701d

SHA512
3ef574aa006db14cef21d4271e1a9fcf03c84a5fac99f6ae8cbb56e7a075975a87856670e8b66c4e30d72cbd6d45cb37140883f359db76a1f93cf713c69d4290

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
0e86e23fff44125b5112c26e2a330e0d

SHA1
c39fd0dc377c13bffca36f92520fe4c37ea5df07

SHA256
f25b568d5ae456315d48d3d1389a147c6db38042e6e52a5a809aa0d0434a6160

SHA512
f4cd04dbbf36f969a05a4444d9d849acf24fa68bbff761671c6bc26606f5b2ca1e3f700f28ae38718d10a4888a62d2359d14c936ab2d0db5933dbe33d14ee4f9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
78b7e58ff59060524cf3038488a0c1bc

SHA1
b8c648bf715cdb2c2ffcf6831cef4e403b2e2b82

SHA256
b2c67c79c10cabb23e394f9cb7529f78d51ff33f96dacf892b6c5f7bb277bdb9

SHA512
0b13f9e533180cfbdec876199660424e1ac87e488ab159b278cd9e2d1846bdf51423c417c73cd61488c657268f04c8eb7bf95d6ee9e7a65aaeecb0ee23f111b5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
7b49eeb0dc45ae9c0bb7fe64160f45dc

SHA1
e51001d2b0cf4f3e5baaf8c27d314cf7d1376703

SHA256
5e98fa1e02eb998fd966fe72f90bda24ee1d15ee8c76e57e112db9f885f74c7e

SHA512
4aec13d5c8237bcf6cb7b5bc0defa0dcbaa5d229d2006ce7fda119436dafa86e863a7500916134c8fb5e2b75fd5efa6caf207207f66fd7aa1f9097be608a99d7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c75ef71fcdc9bfbee214e712aea7a614

SHA1
0685a0c46503ce900238b13782bfa70ded101a47

SHA256
c3a0e5d3a9ffc186b90d4b4a4949284096f6db825f7574ccb437849bbe3711da

SHA512
eec68ccccdb975af9d69b1dd3fd2cb6bdda3c85e454395be5c701be11e5fc1cd20354fdb9818844108ccdbd93fda3f475f3e177187cfa5ae8b6a9028adcd5551

Download Submit
memory/572-17-0x0000000003FA0000-0x0000000004031000-memory.dmp

Filesize
580KB

Download
memory/1172-0-0x00000000041D0000-0x0000000004261000-memory.dmp

Filesize
580KB

Download
memory/1172-4-0x00000000041D0000-0x0000000004261000-memory.dmp

Filesize
580KB

Download
memory/1172-1-0x0000000004360000-0x000000000447B000-memory.dmp

Filesize
1.1MB

Download
memory/2912-15-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2912-6-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2912-5-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2912-3-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2912-2-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3864-269-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-267-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-228-0x000001F647B80000-0x000001F647B90000-memory.dmp

Filesize
64KB

Download
memory/3864-244-0x000001F647C80000-0x000001F647C90000-memory.dmp

Filesize
64KB

Download
memory/3864-260-0x000001F650270000-0x000001F650271000-memory.dmp

Filesize
4KB

Download
memory/3864-261-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-262-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-263-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-264-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-265-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-266-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-304-0x000001F650000000-0x000001F650001000-memory.dmp

Filesize
4KB

Download
memory/3864-268-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-303-0x000001F650000000-0x000001F650001000-memory.dmp

Filesize
4KB

Download
memory/3864-301-0x000001F64FFF0000-0x000001F64FFF1000-memory.dmp

Filesize
4KB

Download
memory/3864-276-0x000001F6502A0000-0x000001F6502A1000-memory.dmp

Filesize
4KB

Download
memory/3864-280-0x000001F64FEC0000-0x000001F64FEC1000-memory.dmp

Filesize
4KB

Download
memory/3864-281-0x000001F64FEB0000-0x000001F64FEB1000-memory.dmp

Filesize
4KB

Download
memory/3864-283-0x000001F64FEC0000-0x000001F64FEC1000-memory.dmp

Filesize
4KB

Download
memory/3864-286-0x000001F64FEB0000-0x000001F64FEB1000-memory.dmp

Filesize
4KB

Download
memory/3864-289-0x000001F64FDF0000-0x000001F64FDF1000-memory.dmp

Filesize
4KB

Download
memory/4852-19-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4852-20-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4852-22-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download