dd2b75cb2df230a562fb1d1cac43a847b63bf6658ac7fe36de316fbd2bc5610a

Resubmissions

15/04/2024, 10:50

240415-mxdmfacf29 10

15/04/2024, 07:11

240415-hzw5cahc99 10

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Size

767KB
MD5

ae2f422a1ca6558ca6dd723c1b351b7a
SHA1

eeec0b0012f1b6c41a70f6f13d2ec01e0b3ef6ad
SHA256

1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda
SHA512

30a0ea93646669e6b2aac357e36c558da8fbd166435cc05d33daf80e01d12c4dfa903e6532ff0e58c47faee12c63998aa2313bb2e73650878f3d050654c751c3
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ks:WnsJ39LyjbJkQFMhmC+6GD9R

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Readme.txt

Ransom Note

Attention Tax payer: All Your files have been locked with ransomware by law enforcement for violating cyber laws. All of your important documents, photos, and videos have been encrypted and cannot be accessed without a decryption key. This is a serious offense and you must pay a fine to unlock your files. To unlock your files, follow these instructions: 1. Contact us on telegram = @Lawinfo19 2. We will tell about you problem 3. You need us to pay a amount for your criminal activity 4. Use the decryption key to unlock your files. If you fail to comply with these instructions, the fine will increase and your files will be permanently deleted. Do not attempt to remove the ransomware or tamper with your files. Any attempts to do so will result in the permanent loss of your data. We understand the inconvenience this may cause, but it is necessary to ensure that cyber laws are not violated. We apologize for any inconvenience and hope to resolve this matter as soon as possible. Sincerely, Law Enforcement

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1664	bcdedit.exe
3032	bcdedit.exe

Renames multiple (318) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2180	wbadmin.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe

Executes dropped EXE 5 IoCs

pid	Process
1600	._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
3048	Synaptics.exe
1980	Runtime Broker.exe
4976	._cache_Synaptics.exe
4612	Runtime Broker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Readme = "C:\\Users\\Admin\\AppData\\Local\\Runtime Broker.exe"	Runtime Broker.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\McSIbsZH9.jpg"	Runtime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4108	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe
4612	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
Token: SeDebugPrivilege	4976	._cache_Synaptics.exe
Token: SeDebugPrivilege	4612	Runtime Broker.exe
Token: SeBackupPrivilege	1276	vssvc.exe
Token: SeRestorePrivilege	1276	vssvc.exe
Token: SeAuditPrivilege	1276	vssvc.exe
Token: SeIncreaseQuotaPrivilege	4348	WMIC.exe
Token: SeSecurityPrivilege	4348	WMIC.exe
Token: SeTakeOwnershipPrivilege	4348	WMIC.exe
Token: SeLoadDriverPrivilege	4348	WMIC.exe
Token: SeSystemProfilePrivilege	4348	WMIC.exe
Token: SeSystemtimePrivilege	4348	WMIC.exe
Token: SeProfSingleProcessPrivilege	4348	WMIC.exe
Token: SeIncBasePriorityPrivilege	4348	WMIC.exe
Token: SeCreatePagefilePrivilege	4348	WMIC.exe
Token: SeBackupPrivilege	4348	WMIC.exe
Token: SeRestorePrivilege	4348	WMIC.exe
Token: SeShutdownPrivilege	4348	WMIC.exe
Token: SeDebugPrivilege	4348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4348	WMIC.exe
Token: SeRemoteShutdownPrivilege	4348	WMIC.exe
Token: SeUndockPrivilege	4348	WMIC.exe
Token: SeManageVolumePrivilege	4348	WMIC.exe
Token: 33	4348	WMIC.exe
Token: 34	4348	WMIC.exe
Token: 35	4348	WMIC.exe
Token: 36	4348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4348	WMIC.exe
Token: SeSecurityPrivilege	4348	WMIC.exe
Token: SeTakeOwnershipPrivilege	4348	WMIC.exe
Token: SeLoadDriverPrivilege	4348	WMIC.exe
Token: SeSystemProfilePrivilege	4348	WMIC.exe
Token: SeSystemtimePrivilege	4348	WMIC.exe
Token: SeProfSingleProcessPrivilege	4348	WMIC.exe
Token: SeIncBasePriorityPrivilege	4348	WMIC.exe
Token: SeCreatePagefilePrivilege	4348	WMIC.exe
Token: SeBackupPrivilege	4348	WMIC.exe
Token: SeRestorePrivilege	4348	WMIC.exe
Token: SeShutdownPrivilege	4348	WMIC.exe
Token: SeDebugPrivilege	4348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4348	WMIC.exe
Token: SeRemoteShutdownPrivilege	4348	WMIC.exe
Token: SeUndockPrivilege	4348	WMIC.exe
Token: SeManageVolumePrivilege	4348	WMIC.exe
Token: 33	4348	WMIC.exe
Token: 34	4348	WMIC.exe
Token: 35	4348	WMIC.exe
Token: 36	4348	WMIC.exe
Token: SeBackupPrivilege	2728	wbengine.exe
Token: SeRestorePrivilege	2728	wbengine.exe
Token: SeSecurityPrivilege	2728	wbengine.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 1600	528	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe	87
PID 528 wrote to memory of 1600	528	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe	87
PID 528 wrote to memory of 3048	528	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe	88
PID 528 wrote to memory of 3048	528	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe	88
PID 528 wrote to memory of 3048	528	1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe	88
PID 1600 wrote to memory of 1980	1600	._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe	89
PID 1600 wrote to memory of 1980	1600	._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe	89
PID 3048 wrote to memory of 4976	3048	Synaptics.exe	90
PID 3048 wrote to memory of 4976	3048	Synaptics.exe	90
PID 4976 wrote to memory of 4612	4976	._cache_Synaptics.exe	91
PID 4976 wrote to memory of 4612	4976	._cache_Synaptics.exe	91
PID 4612 wrote to memory of 3124	4612	Runtime Broker.exe	93
PID 4612 wrote to memory of 3124	4612	Runtime Broker.exe	93
PID 3124 wrote to memory of 4108	3124	cmd.exe	95
PID 3124 wrote to memory of 4108	3124	cmd.exe	95
PID 3124 wrote to memory of 4348	3124	cmd.exe	98
PID 3124 wrote to memory of 4348	3124	cmd.exe	98
PID 4612 wrote to memory of 4020	4612	Runtime Broker.exe	100
PID 4612 wrote to memory of 4020	4612	Runtime Broker.exe	100
PID 4020 wrote to memory of 1664	4020	cmd.exe	102
PID 4020 wrote to memory of 1664	4020	cmd.exe	102
PID 4020 wrote to memory of 3032	4020	cmd.exe	103
PID 4020 wrote to memory of 3032	4020	cmd.exe	103
PID 4612 wrote to memory of 1216	4612	Runtime Broker.exe	104
PID 4612 wrote to memory of 1216	4612	Runtime Broker.exe	104
PID 1216 wrote to memory of 2180	1216	cmd.exe	106
PID 1216 wrote to memory of 2180	1216	cmd.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
"C:\Users\Admin\AppData\Local\Temp\1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528
- C:\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Runtime Broker.exe
    "C:\Users\Admin\AppData\Local\Runtime Broker.exe"
    3⤵
    - Executes dropped EXE
    PID:1980
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Runtime Broker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Sets desktop wallpaper using registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3124
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:4108
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1664
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1216
      - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        6⤵
        Deletes backup catalog
        
        PID:2180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
767KB

MD5
ae2f422a1ca6558ca6dd723c1b351b7a

SHA1
eeec0b0012f1b6c41a70f6f13d2ec01e0b3ef6ad

SHA256
1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda

SHA512
30a0ea93646669e6b2aac357e36c558da8fbd166435cc05d33daf80e01d12c4dfa903e6532ff0e58c47faee12c63998aa2313bb2e73650878f3d050654c751c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_1d854192e5aac93a950c60e013a8f08283ad81f841dd90da9326198f37c8adda.exe

Filesize
22KB

MD5
c664f5be59fb3a17761dd2ada9eef228

SHA1
1f32c2b1aa103c73c9fb9624e53318d5bc8d60f1

SHA256
2a567c61c401c4fd6f7a4ae88265d7a0dbd0c14fdcc116f8c5d98da6022066ec

SHA512
c24a25237d009715f3b98fdf4489af8a484ab93091dbbd6ab1815946c9af24cff3f026bb3e7bff969348621cc82769b7fd1dde5bdbaba14768b229cac85b2259

Download Submit
C:\Users\Admin\Desktop\Readme.txt

Filesize
1KB

MD5
4e5afc973a7d062342a5020e33bf85dc

SHA1
345fbfd0fcad94b2975021c802f5345cce10e037

SHA256
ce82cff28fa692ed34a2e9076641f2097248412ac990fd1fe59fc1ae6cda7401

SHA512
e41f9fb8ce570fdb5b6fe213f9774f639d156f43a10ba18c0c90f528956f8ca1677b9663930132242751bcf26174eaedeb909779c1f4e521b00468647904e5a5

Download Submit
memory/528-130-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/528-0-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1600-129-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download
memory/1600-70-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/1600-196-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download
memory/1980-971-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download
memory/1980-195-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download
memory/3048-969-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3048-134-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3048-970-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3048-997-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/4612-222-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download
memory/4612-223-0x0000000001500000-0x0000000001510000-memory.dmp

Filesize
64KB

Download
memory/4612-968-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download
memory/4976-221-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download
memory/4976-207-0x00007FFAB57C0000-0x00007FFAB6281000-memory.dmp

Filesize
10.8MB

Download