locky_lukitus | 8b0fde020709800cfb4a848a9e49cf3d594198d0e8ebbb6819a3f7a6b3f2bb8b

Analysis

max time kernel
143s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe
Size

615KB
MD5

c29986f0da4fb7c86b44bf91cd84497e
SHA1

bdc4ea27f151b20d708ca64b8fe2a112e0432e96
SHA256

8b0fde020709800cfb4a848a9e49cf3d594198d0e8ebbb6819a3f7a6b3f2bb8b
SHA512

98aff6943d31339c134d94fce027364a41ec95996e654ac2904ccd71531ab5f6a8968a0063f4bf15d7338911dfe08d82855a161c40d4ebc34b1dd94a236f2cab
SSDEEP

12288:zBRpTPN4RNTaeJPDOogtBOQiim9TXNau4nRP9EfIYhRG:zVTF9oPqrBCyRafIQR

Score

10^/10

locky_lukitus defense_evasion discovery ransomware

Malware Config

Signatures

Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
ransomware locky_lukitus
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\WallpaperStyle = "0"	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\TileWallpaper = "0"	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
1916	msedge.exe
1916	msedge.exe
3488	identity_helper.exe
3488	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 1916	4020	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe	99
PID 4020 wrote to memory of 1916	4020	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe	99
PID 1916 wrote to memory of 2516	1916	msedge.exe	100
PID 1916 wrote to memory of 2516	1916	msedge.exe	100
PID 4020 wrote to memory of 4008	4020	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe	101
PID 4020 wrote to memory of 4008	4020	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe	101
PID 4020 wrote to memory of 4008	4020	c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe	101
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 2252	1916	msedge.exe	103
PID 1916 wrote to memory of 3116	1916	msedge.exe	104
PID 1916 wrote to memory of 3116	1916	msedge.exe	104
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105
PID 1916 wrote to memory of 992	1916	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lukitus.htm
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff9a7c846f8,0x7ff9a7c84708,0x7ff9a7c84718
    3⤵
    PID:2516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
    3⤵
    PID:992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:1840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
    3⤵
    PID:3784
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
    3⤵
    PID:2612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
    3⤵
    PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
    3⤵
    PID:4644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,9458827297027490306,18377456430049028632,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\c29986f0da4fb7c86b44bf91cd84497e_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7339aa24eb98b470c4b6a9e44788e29

SHA1
d9b6ab956b02407ddb30f2731d6ab4e1f3d4b92b

SHA256
c9e02501182f3a71a97a97a7b76b0dd659bf869f058f1d754b91e152eb236afe

SHA512
b18267a735750cafcf5f0d690da45b8bd4205bdc370333751bee312beed85b14de4cf903a10bb9ed1e4954f79436b850d5900cbb5f8a294606ad6ace4d3d9012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
92b262db602bf315dbe890960bf088c9

SHA1
30cd3cd115534c18fb612cb8d7962c0d843f1d13

SHA256
0fb7d7d04a1f8dcf18b1489356888f701ad4923ac767cfe67cd1167343e835b6

SHA512
e72d6171e672900abe8416f59eb534488e10a04c45bff43f209d3ccbc54c32b173032ee58d81bec1b41e8f413af1821c78d49768304df6b9ed669124f82c3468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0fa0e881fb9f1b7bc4efccd7dd6f7cf6

SHA1
77fc1227c448f7676bad3a18a23567c78d937d5c

SHA256
54d7403ae778c993fdcd378456e9657066162e84a49c18760c27f22888e47458

SHA512
5dc7307bfe529bd62ff09df3e9aa7648a123a0c7c5d6416b70332f78b811b16c70678489c6464327753cc2767a24fb486483aa823e0387231a538f4011ec70b4

Download Submit
C:\Users\Default\lukitus-5462.htm

Filesize
8KB

MD5
da506211881f48a8110b87243a1d64be

SHA1
a4ad88efb76ee6932d53615f778897ffd23c09f8

SHA256
20a1c33a688b908d538c701765744e824bad2bfd13946da2cc3a220960e72177

SHA512
9ddfee20633c4fbbf4d570e297bfac73a1a0471bc6e297d8f13e6a4da5039cf306848f76f04c19fa7896084797b3b9f6009170c3c5115590d73c3847cfaba0af

Download Submit
memory/4020-13-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4020-314-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4020-321-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4020-12-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4020-1-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4020-11-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4020-5-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4020-4-0x000000000049B000-0x000000000049C000-memory.dmp

Filesize
4KB

Download
memory/4020-2-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4020-0-0x000000000049B000-0x000000000049C000-memory.dmp

Filesize
4KB

Download