dbfbc98581c82723ed3c35b156ef0924fad11271e0c3c6c6b8447e7e02b05a5d

Analysis

max time kernel
360s
max time network
362s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
Size

49KB
MD5

c2734e516454c7af7354a7a4d25cdfa1
SHA1

ad062ffc6cc642ed47549f172e085c15e4902466
SHA256

275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97
SHA512

dc32973cbe1b12f27c9d78702f8efb307f48f521529d0ad4cd70426bfcacb697a3dd761246cc7bd40235c51d7b1bced2eeee78bd7ac82ad297c314a80d753367
SSDEEP

1536:dQFgpLzLiugEBVw9wrLM+7UUjl0FSrXaN:CF4zLi9EBpg+3XaN

Score

10^/10

defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README.hta

Ransom Note

<!DOCTYPE html> <html> <head> <title>SORCERY RANSOMWARE NOTE</title> <style> body { background-color: black; color: green; font-family: Arial, sans-serif; } .important { color: red; } h1, h2 { color: red; } </style> </head> <body> <h1>SORCERY RANSOMWARE NOTE</h1> <h2>What happened?</h2> <p>All of your files are encrypted and stolen. Stolen data will be published soon on our Tor website. There is no way to recover your data and prevent data leakage without us. <span class='important'>Decryption is not possible without the private key.</span> Don't waste your and our time trying to recover your files on your own; it is impossible without our help.</p> <h2>What is Ransomware?</h2> <p>Ransomware is a type of malicious software that encrypts your files and demands a ransom payment to restore access to them. Once your files are encrypted, you will not be able to open or use them without a special decryption key. In addition to encrypting your files, ransomware can also steal your data and threaten to publish it if the ransom is not paid.</p> <h2>What is a Decryptor?</h2> <p>A decryptor is a tool that can reverse the encryption applied by ransomware, allowing you to regain access to your files. The decryptor requires a unique private key, which is held by the attackers. Without this key, it is impossible to decrypt your files.</p> <h2>How to recover files & prevent leakage?</h2> <p>We promise that you can recover all your files safely and prevent data leakage. <span class='important'>We can do it!</span></p> <h2>Contact Us</h2> <p><span class='important'>Email:</span> [email protected]</p> <p><span class='important'>Enter DECRYPTION ID:</span> S10</p> <p>You need to contact us within <span class='important'>24 hours</span> so that we can discuss the price for the decryptor.</p> </body> </html>

Emails

[email protected]</p>

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (173) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2612	rundll32.exe
1940	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
2612	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\HWMonitor\\HWMonitor.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\README = "C:\\Users\\Admin\\AppData\\Local\\rundll32.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\HWMonitor = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\HWMonitor\\HWMonitor.exe"	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3YLjWsTbP.jpg"	rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1700 set thread context of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 2612 set thread context of 1940	2612	rundll32.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2024	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1996	powershell.exe
2656	powershell.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe
1940	rundll32.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1940	rundll32.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeBackupPrivilege	1484	vssvc.exe
Token: SeRestorePrivilege	1484	vssvc.exe
Token: SeAuditPrivilege	1484	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2100	WMIC.exe
Token: SeSecurityPrivilege	2100	WMIC.exe
Token: SeTakeOwnershipPrivilege	2100	WMIC.exe
Token: SeLoadDriverPrivilege	2100	WMIC.exe
Token: SeSystemProfilePrivilege	2100	WMIC.exe
Token: SeSystemtimePrivilege	2100	WMIC.exe
Token: SeProfSingleProcessPrivilege	2100	WMIC.exe
Token: SeIncBasePriorityPrivilege	2100	WMIC.exe
Token: SeCreatePagefilePrivilege	2100	WMIC.exe
Token: SeBackupPrivilege	2100	WMIC.exe
Token: SeRestorePrivilege	2100	WMIC.exe
Token: SeShutdownPrivilege	2100	WMIC.exe
Token: SeDebugPrivilege	2100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2100	WMIC.exe
Token: SeRemoteShutdownPrivilege	2100	WMIC.exe
Token: SeUndockPrivilege	2100	WMIC.exe
Token: SeManageVolumePrivilege	2100	WMIC.exe
Token: 33	2100	WMIC.exe
Token: 34	2100	WMIC.exe
Token: 35	2100	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	31
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	31
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	31
PID 1700 wrote to memory of 1996	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	31
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 1700 wrote to memory of 2288	1700	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	33
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	34
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	34
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	34
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	34
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	34
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	34
PID 2288 wrote to memory of 2612	2288	275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe	34
PID 2612 wrote to memory of 2656	2612	rundll32.exe	35
PID 2612 wrote to memory of 2656	2612	rundll32.exe	35
PID 2612 wrote to memory of 2656	2612	rundll32.exe	35
PID 2612 wrote to memory of 2656	2612	rundll32.exe	35
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 2612 wrote to memory of 1940	2612	rundll32.exe	37
PID 1940 wrote to memory of 2932	1940	rundll32.exe	39
PID 1940 wrote to memory of 2932	1940	rundll32.exe	39
PID 1940 wrote to memory of 2932	1940	rundll32.exe	39
PID 1940 wrote to memory of 2932	1940	rundll32.exe	39
PID 2932 wrote to memory of 2024	2932	cmd.exe	41
PID 2932 wrote to memory of 2024	2932	cmd.exe	41
PID 2932 wrote to memory of 2024	2932	cmd.exe	41
PID 2932 wrote to memory of 2024	2932	cmd.exe	41
PID 2932 wrote to memory of 2100	2932	cmd.exe	43
PID 2932 wrote to memory of 2100	2932	cmd.exe	43
PID 2932 wrote to memory of 2100	2932	cmd.exe	43
PID 2932 wrote to memory of 2100	2932	cmd.exe	43
PID 1940 wrote to memory of 2308	1940	rundll32.exe	45
PID 1940 wrote to memory of 2308	1940	rundll32.exe	45
PID 1940 wrote to memory of 2308	1940	rundll32.exe	45
PID 1940 wrote to memory of 2308	1940	rundll32.exe	45
PID 1940 wrote to memory of 2564	1940	rundll32.exe	47
PID 1940 wrote to memory of 2564	1940	rundll32.exe	47
PID 1940 wrote to memory of 2564	1940	rundll32.exe	47
PID 1940 wrote to memory of 2564	1940	rundll32.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
"C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe
  "C:\Users\Admin\AppData\Local\Temp\275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Users\Admin\AppData\Local\rundll32.exe
    "C:\Users\Admin\AppData\Local\rundll32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2656
  - - C:\Users\Admin\AppData\Local\rundll32.exe
      "C:\Users\Admin\AppData\Local\rundll32.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Sets desktop wallpaper using registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:2024
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        5⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        5⤵
        
        PID:2564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1683c8d22e25d55d9a02ed59a795105c

SHA1
3b167e2df262d02b09a18495c28c5d77346f23f4

SHA256
9af44f3b0c0ce1ed2ffbe672c299337e61f72bed511740a722dcc86da4e36de8

SHA512
233162200cc8bc52deb8a4e81de0aaec20cd7de250793586a5fbf482359bf9e7f24bb381f36be05fa0268b358ca777c2c0412c32e843ad7a0a45f54b85f4d24c

Download Submit
C:\Users\Admin\Desktop\README.hta

Filesize
1KB

MD5
72c1db68d8b6d084a4649a8e645b4b9b

SHA1
b2412983edbb2f85abcf091d2df8d01cb52a6116

SHA256
c3c694124e9ae89e652cd8294ff0d0c452c7185db91fc8758198ce15d83ab1ed

SHA512
77ef54064c7ed8bab1903b2d8d22942943fc0ac1757b5404e53deb3374edd97e14069741730170198e8bd7a24dba79942f6eebd26b2651c71d640b834dd41ff7

Download Submit
\Users\Admin\AppData\Local\rundll32.exe

Filesize
49KB

MD5
c2734e516454c7af7354a7a4d25cdfa1

SHA1
ad062ffc6cc642ed47549f172e085c15e4902466

SHA256
275d0d15fa3582e848f05daa76d351e10ce3d7072e9c987eee1a1f606c714a97

SHA512
dc32973cbe1b12f27c9d78702f8efb307f48f521529d0ad4cd70426bfcacb697a3dd761246cc7bd40235c51d7b1bced2eeee78bd7ac82ad297c314a80d753367

Download Submit
memory/1700-1-0x00000000013B0000-0x00000000013C2000-memory.dmp

Filesize
72KB

Download
memory/1700-2-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-3-0x000000007407E000-0x000000007407F000-memory.dmp

Filesize
4KB

Download
memory/1700-4-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-5-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1700-19-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1700-0-0x000000007407E000-0x000000007407F000-memory.dmp

Filesize
4KB

Download
memory/1940-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2288-9-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-8-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-7-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-20-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-10-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-31-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-13-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-15-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2288-18-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2612-30-0x00000000001A0000-0x00000000001B2000-memory.dmp

Filesize
72KB

Download