e097f98ea3416330ed2fd7856743d68a7ca880c6d57e8c264a384a112ac5a390

Resubmissions

26/09/2024, 23:34

240926-3ktqwsteqq 10

02/09/2024, 12:26

240902-pl9xls1cnb 10

Analysis

max time kernel
101s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lk.exe
Size

146KB
MD5

7f6830b77ad13b244bc5d702d67137bf
SHA1

1fbd763388a3e9679ac66b35da8a78e041611fe4
SHA256

e097f98ea3416330ed2fd7856743d68a7ca880c6d57e8c264a384a112ac5a390
SHA512

488cb83c7267cfc70989e09489373f4372325531f7c02b1711fbdf6dfeaa377c39b84d5e971136e0e41d0a6dcde52ec4d21a749169eedb9e9ba43eb9caf077de
SSDEEP

3072:c6glyuxE4GsUPnliByocWep0XL63DjDeprS:c6gDBGpvEByocWeOmuNS

Score

9^/10

discovery ransomware spyware stealer

Malware Config

Signatures

Renames multiple (605) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	lk.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini	lk.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\spool\PRINTERS\00002.SPL	splwow64.exe
File created	C:\Windows\system32\spool\PRINTERS\PPu3yyvgufclcezkrjl_2akkv3d.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP09jrcsr1f_2dcw9m0pu0t8p4c.TMP	printfilterpipelinesvc.exe
File created	C:\Windows\system32\spool\PRINTERS\PP02k87em2185t49m8hr5enqkrc.TMP	printfilterpipelinesvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lk.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ONENOTE.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	ONENOTE.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	ONENOTE.EXE

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.XQk8iLzOQ\ = "XQk8iLzOQ"	lk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XQk8iLzOQ\DefaultIcon	lk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XQk8iLzOQ	lk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XQk8iLzOQ\DefaultIcon\ = "C:\\ProgramData\\XQk8iLzOQ.ico"	lk.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.XQk8iLzOQ	lk.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3296	NOTEPAD.EXE
5060	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4740	ONENOTE.EXE
4740	ONENOTE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe
4404	lk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4956	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeDebugPrivilege	4404	lk.exe
Token: 36	4404	lk.exe
Token: SeImpersonatePrivilege	4404	lk.exe
Token: SeIncBasePriorityPrivilege	4404	lk.exe
Token: SeIncreaseQuotaPrivilege	4404	lk.exe
Token: 33	4404	lk.exe
Token: SeManageVolumePrivilege	4404	lk.exe
Token: SeProfSingleProcessPrivilege	4404	lk.exe
Token: SeRestorePrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSystemProfilePrivilege	4404	lk.exe
Token: SeTakeOwnershipPrivilege	4404	lk.exe
Token: SeShutdownPrivilege	4404	lk.exe
Token: SeDebugPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeBackupPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe
Token: SeSecurityPrivilege	4404	lk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe
1684	taskmgr.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4740	ONENOTE.EXE
4768	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe
4956	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3744	4404	lk.exe	85
PID 4404 wrote to memory of 3744	4404	lk.exe	85
PID 3936 wrote to memory of 4740	3936	printfilterpipelinesvc.exe	92
PID 3936 wrote to memory of 4740	3936	printfilterpipelinesvc.exe	92
PID 4956 wrote to memory of 5060	4956	OpenWith.exe	106
PID 4956 wrote to memory of 5060	4956	OpenWith.exe	106

C:\Users\Admin\AppData\Local\Temp\lk.exe
"C:\Users\Admin\AppData\Local\Temp\lk.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  - Drops file in System32 directory
  PID:3744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2960

C:\Windows\system32\printfilterpipelinesvc.exe
C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
  /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{1332DA82-0F64-4CFD-88D9-DE32F22CE60F}.xps" 133718673044630000
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4740

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\XQk8iLzOQ.README.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RegisterWait.cmd" "
1⤵
PID:4472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SelectResize.wmf.XQk8iLzOQ
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-523280732-2327480845-3730041215-1000\KKKKKKKKKKK

Filesize
129B

MD5
4613ab580d5a3081e8f695ca87f8fa0a

SHA1
e111c20c738f5fb2f5ee3e6f4df2e535ec098f6b

SHA256
96e8b3cac3862ce2afe350827cae0bf3c3138b56ae6ab4b3ab8f64e08eb3637d

SHA512
771ea21d8c7e445a7f5c3ee44fd1f4505ca35766f85365e2896e86a28669801bf9f523d119a99247e3a7d196b0763ffc123f09a1817cb2dad3370da7312be744

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D915B1C9-8D48-4DBB-8945-7E2E039E1C42}

Filesize
4KB

MD5
b71481d8c98b2dfb7b063c30578ac4a3

SHA1
89af74b03bfab88fcf77e62b21913e2f03309191

SHA256
66115b92f64d7da52da10e87820784907221454faef4b639131bccdc9ad36073

SHA512
d21c7e458cc4d5297c943abb2647208a1890b7b1f1f55043b305f508bac65e948c048dfdfb8d6cf58a4671587b80cac44123c6108413ce3e0c9f800b1d23dcbe

Download Submit
C:\Users\Admin\Desktop\SelectResize.wmf.XQk8iLzOQ

Filesize
341KB

MD5
a1a4604634667911aaa909d52d2e3f31

SHA1
8166a77b96d136487c9c564433a917f65ce06f33

SHA256
847c479be9cadaa0cb167c20d1abee76cc32f6ab52b0b59f2d3844ada5e8c09e

SHA512
b77ce8e8e506e4f77320894c632b7a17f3c424af4986ee1a3e9128a160aede87f26459e6884324012ec6593e14e5bf28f7f04360244c6a9f85127f62628582bf

Download Submit
C:\XQk8iLzOQ.README.txt

Filesize
343B

MD5
72b1ffaeb7de456483f491ecceadb088

SHA1
ee1953abc295245ab01f35a4a823883826bf2b41

SHA256
eb892eac9899b995047733bb17acd4945eb42b7b49f2ee8ad52b8026bc0297a7

SHA512
c0e7cad617cf1490bb25fc47936edc3ae164b190ed34f2d2a50e7e84ce6e0d6712a6ba9ab351cca1589266078326a00317516c53fecf96f20eaefe15e92ce445

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\DDDDDDDDDDD

Filesize
129B

MD5
cc647fb051bcdd47cdb7ae3dd14a504a

SHA1
2609dfa8a9e22d4614c777566967183630dac627

SHA256
621a1ce91d34aafddb939226cb404667a10189c02f8b49b590db977cebba60f3

SHA512
4ef47c215175e3831b37ed793e34fb571e0ba3a5c0040162fabec42cc46cf9b22e3335d91321118c56708e59639730b34eba01fb936fb903bed7a4acc25f0db2

Download Submit
memory/1684-2793-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2802-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2795-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2794-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2799-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2800-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2801-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2803-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2805-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/1684-2804-0x000001C6624E0000-0x000001C6624E1000-memory.dmp

Filesize
4KB

Download
memory/4404-2808-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4404-2-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4404-2807-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4404-2806-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4404-1-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4404-0-0x00000000028E0000-0x00000000028F0000-memory.dmp

Filesize
64KB

Download
memory/4740-2823-0x00007FFB700F0000-0x00007FFB70100000-memory.dmp

Filesize
64KB

Download
memory/4740-2820-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2819-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2822-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2824-0x00007FFB700F0000-0x00007FFB70100000-memory.dmp

Filesize
64KB

Download
memory/4740-2821-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2861-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2862-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2863-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2864-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download
memory/4740-2818-0x00007FFB72A50000-0x00007FFB72A60000-memory.dmp

Filesize
64KB

Download