2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Size

148KB
MD5

90b13c5448b62ddb92a1d0f8262ed7b7
SHA1

0b27b077d437da27091dd626e5958f0674e86a1c
SHA256

2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299
SHA512

bf16a6106f2afebb094949fb64dcd25832e02284d5ee06634254910336489a502947c8bc0629abcadb13d7cddcead28d2cbc1a470ab53e6d51671f2e67d81ffd
SSDEEP

3072:06glyuxE4GsUPnliByocWepEjCwDS6bo2VY9:06gDBGpvEByocWeCeS1Y9

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\mstH2C7Dr.README.txt

Ransom Note

~~~ LockBit 3.0, the fastest ransomware in the world since 2019 ~~~ >>>> What happened? Your data is stolen and encrypted, the data will be published on TOR website if you do not pay the ransom. >>>> What guarantees that we will not deceive you? We are not a politically motivated group and we don't need anything other than your money. If you pay, we will provide you with the decryption programs and delete your data. Life is too short to be sad. Don't be sad, money is just paper. If we don't provide you with decryptors or delete your data after payment, no one will pay us in the future. This is why our reputation is very important to us. We attack businesses worldwide and there are no unsatisfied victims after payment. You can get information about us on Twitter: https://twitter.com/hashtag/lockbit?f=live >>>> How to pay to get the decryptor? You must contact us by email to be able to send us a message with the payment screenshot with your personal decryption id, so we will contact you again to give you our recovery software. Your personal decryption id: A79A3EC67EEF60C01C57CF243F9DFEC7 Our Bitcoin payment address: bc1qlj7ep820lmg48tvh7mahwjd5y4d4tx4nqactsp The amount to pay: 200.00$ Our contact email address: [email protected] >>>> Why Bitcoin? As for the issue of anonymity, bitcoin is often considered more anonymous than traditional payment methods because it is not directly linked to your identity. Bitcoin transactions are recorded on a public blockchain, but they are pseudonymous. >>>> How to buy bitcoin? To buy bitcoin, start by looking for trusted exchanges like Coinbase, Binance, or Kraken. Once registered on one of these platforms, explore options for purchasing bitcoin using your local currency. Familiarize yourself with the process of verifying and securing a digital wallet. >>>> Information? Attention ! Do not delete or modify any files, this may cause recovery problems! Attention ! If you don't pay the ransom, we will repeatedly attack your business again!

Emails

[email protected]

URLs

https://twitter.com/hashtag/lockbit?f=live

Signatures

Renames multiple (315) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes itself 1 IoCs

pid	Process
1392	F8B.tmp

Executes dropped EXE 1 IoCs

pid	Process
1392	F8B.tmp

Loads dropped DLL 1 IoCs

pid	Process
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mstH2C7Dr.bmp"	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mstH2C7Dr.bmp"	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
1392	F8B.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\WallpaperStyle = "10"	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon\ = "C:\\ProgramData\\mstH2C7Dr.ico"	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr\ = "mstH2C7Dr"	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

Suspicious behavior: RenamesItself 26 IoCs

pid	Process
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp
1392	F8B.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeDebugPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: 36	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeImpersonatePrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeIncBasePriorityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeIncreaseQuotaPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: 33	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeManageVolumePrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeProfSingleProcessPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeRestorePrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSystemProfilePrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeTakeOwnershipPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeShutdownPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeDebugPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeBackupPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
Token: SeSecurityPrivilege	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1392	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe	30
PID 2856 wrote to memory of 1392	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe	30
PID 2856 wrote to memory of 1392	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe	30
PID 2856 wrote to memory of 1392	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe	30
PID 2856 wrote to memory of 1392	2856	2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe	30
PID 1392 wrote to memory of 1804	1392	F8B.tmp	32
PID 1392 wrote to memory of 1804	1392	F8B.tmp	32
PID 1392 wrote to memory of 1804	1392	F8B.tmp	32
PID 1392 wrote to memory of 1804	1392	F8B.tmp	32

C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-28_90b13c5448b62ddb92a1d0f8262ed7b7_darkside.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856
- C:\ProgramData\F8B.tmp
  "C:\ProgramData\F8B.tmp"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\F8B.tmp >> NUL
    3⤵
    PID:1804

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x14c
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3452737119-3959686427-228443150-1000\desktop.ini

Filesize
129B

MD5
426b2519ac1b22e81791909ed84eb632

SHA1
23ad5b742b9dd3f95b6943ffef7c30cecb0c6428

SHA256
a1c8fe4f3167748b96997788927aa954513d4f74468575fef354f6a6bd6229d5

SHA512
7ec51ea80436e413da1e3f5dbc43aaeecdcb0ffa778a17599e4b4d8116fb862bf14c8a2abca8e480155d2f6cf7a8a76c85aecd06babec04991ba0d0c9cdbd247

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

Filesize
148KB

MD5
532ede80a0f734352ae0981d516d6f38

SHA1
c190b21153b3253a82a8e1d23443c0521f556c28

SHA256
e547608868f67ff69c5c9267461260436dc3026da1b20fa173bfb889120de8e3

SHA512
e4a682347ff702cd365de58c3d0486bc0c15920a49a3b7f92984ed9693e587657580dff3406045fb3556604f7ead85a43576c02cb94ac15783de5047b3d6a2f3

Download Submit
C:\mstH2C7Dr.README.txt

Filesize
2KB

MD5
8c18a803789289f6d0638e893e2803d8

SHA1
8b40d4e8bda8c99612bd6f91fd901d3547440169

SHA256
c179a92fd5952fe4216c4508134702353fb6b5838a96bd794cc8b164d94328c2

SHA512
0e0c90679eabd07774e9a7a103284de28406afcdc71e71e4630b757c5c59ac62d2a8284cfceac1c6916ac7956fcd6df6fc1adb2238aa5e023bcef280ff34e68b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\DDDDDDDDDDD

Filesize
129B

MD5
904eb685c0445850071e3d010b410197

SHA1
aeba1473b534af10b2dac9f0574ab36f513739c4

SHA256
9506e02b2e52ec232994b8c875b0b7c31048f3de42396ef1f582d1b823b59cd3

SHA512
10a23917846b876e1fb42b0f73313e5cac5487e8384c699d2292b831f514dc39208c35959c5cc87e4c7a2d683b381aa2ce4258584355e7eb26eb213159adfa77

Download Submit
\ProgramData\F8B.tmp

Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/1392-834-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/1392-833-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

Filesize
4KB

Download
memory/1392-836-0x000000007EF80000-0x000000007EF81000-memory.dmp

Filesize
4KB

Download
memory/1392-838-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1392-866-0x000000007EF60000-0x000000007EF61000-memory.dmp

Filesize
4KB

Download
memory/1392-865-0x000000007EF40000-0x000000007EF41000-memory.dmp

Filesize
4KB

Download
memory/2856-0-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download