Analysis

  • max time kernel
    103s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 06:53

General

  • Target

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

  • Size

    80KB

  • MD5

    8152a3d0d76f7e968597f4f834fdfa9d

  • SHA1

    c3cf05f3f79851d3c0d4266ab77c8e3e3f88c73e

  • SHA256

    69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b

  • SHA512

    eb1a18cb03131466a4152fa2f6874b70c760317148684ca9b95044e50dc9cd19316d6e68e680ce18599114ba73e75264de5dab5afe611165b9c6c0b5f01002b4

  • SSDEEP

    1536:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/suIicRtpNf8SgRXt+AacRDVX8C4OntD4acN:SHbigeMiIeMfZ7tOBbFv0CIG0dDh/su0

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Family

hakbit

Ransom Note
To recover your data contact the email below [email protected] Key Identifier: SIOc7lGc6JDUsuPbK2/yplD3KlmBpbrYGN3sxRgES/MF2BeFqkFJcCzfKfGyWJQ77OmRtdBbV/T049i9A5WziQtlmn7JFksTguC3g0gb9gIysU6D5Uglm5Sq5r0ZO6sXuVvWTDVAm3DBOle/aIxn2wXutCMzYuv+I5mmarHafmCYSW7ys9lQHW13dsOB8I6VcFE5i3jxueFnpUOFdIt4684V/krm0MIPYFJGVT/IqCx3b4SdarOP2UAcCIFiJnDpFcstR9wuRl3n6ett85of3AE79seCAxnAVl6wAUFqstq5ZDgI/wZL1lwaMfZ8yw9G9GoiKolC3CSk+rQP960d/p+qcjI4d0i0G4DWeI31eIhrE5kwORwTUe8p7S/2ZI+oN07YtLOsxWZ8eLYrXihJ0oo/YqmgADNT9y8D/vU0iPmQl1255C8Ku2Pbrh2xo6e0fIawyXNq8IPg69Ftby4/8OhOZ5FVLjNKTWZ2nhV9NrZKQjNRe1B+G+V3H5ngFBPG0ITJs3l2T3AdB5k1bof/LuEcOJIoQRW9pPBwoGxXkEdp4rhomkAbMiLs1XuSv1shCEwHidT9ajgY+w/vJms3V+qgFYCupo7gCaZqx06rji3KshywjT/QCaMAJUrneZztsA7zAAwWJ9IGrjk/JZrkMppF2qANIYuwIk2wfWSEDtU= Number of files that were processed is: 432

Signatures

  • Disables service(s) 3 TTPs
  • Hakbit

    Ransomware which encrypts files using AES, first seen in November 2019.

  • Hakbit family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Kills process with taskkill 47 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
    "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY start= disabled
      2⤵
      • Launches sc.exe
      PID:5440
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
      2⤵
      • Launches sc.exe
      PID:3104
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SQLWriter start= disabled
      2⤵
      • Launches sc.exe
      PID:1440
    • C:\Windows\SYSTEM32\sc.exe
      "sc.exe" config SstpSvc start= disabled
      2⤵
      • Launches sc.exe
      PID:1416
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:6028
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1916
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqbcoreservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3828
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM firefoxconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3948
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM agntsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM thebat.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM steam.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5312
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM encsvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3304
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM excel.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM CNTAoSMgr.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3712
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlwriter.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3924
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM tbirdconfig.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4108
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM dbeng50.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM thebat64.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3116
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM ocomm.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5888
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM infopath.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mbamtray.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:864
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM zoolz.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" IM thunderbird.exe /F
      2⤵
      • Kills process with taskkill
      PID:3656
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM dbsnmp.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM xfssvccon.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5324
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mspub.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3728
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM Ntrtscan.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5348
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM isqlplussvc.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5124
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM onenote.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5616
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM PccNTMon.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM msaccess.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4068
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM outlook.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3672
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM tmlisten.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4680
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM msftesql.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:808
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM powerpnt.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2264
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopqos.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4632
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM visio.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mydesktopservice.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5568
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM winword.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1256
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld-nt.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3504
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM wordpad.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3284
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM mysqld-opt.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM ocautoupds.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM ocssd.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4580
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM oracle.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4968
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlagent.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4732
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlbrowser.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4740
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM sqlservr.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4748
    • C:\Windows\SYSTEM32\taskkill.exe
      "taskkill.exe" /IM synctime.exe /F
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3416
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
      2⤵
        PID:3000
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1900
      • C:\Windows\System32\notepad.exe
        "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:4976
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2156
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.7 -n 3
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5348
        • C:\Windows\system32\fsutil.exe
          fsutil file setZeroData offset=0 length=524288 “%s”
          3⤵
            PID:2204
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe
          2⤵
            PID:5332
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 3
              3⤵
                PID:2076

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

                  Filesize

                  1.3MB

                  MD5

                  866c052a71eb702458034c52df9eeace

                  SHA1

                  ec5a5f0acb82e9015e56b18dc31fac8a2117d947

                  SHA256

                  2b19eca12bc4afb42c8dbf04b81bd0bfdd27fe1a7894f59eb4a90656653f2ff4

                  SHA512

                  4b94831581b7fd872519d7c38847a3dbb6b8387a9a83c9a8394669bcf9a0cc5a76c5736a01393a707b6b01d6f66133baa050928785149a075d98dc6f037b2bf0

                • C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

                  Filesize

                  28.8MB

                  MD5

                  692b55e7e57ce554a1e9fed6a493d9d8

                  SHA1

                  16ddacc98779b07285585d10b02a7799e660be31

                  SHA256

                  12b92300051f100617fed16b21ded3b84c3e05eaa992661621e368abf77e2dc5

                  SHA512

                  01189d49d1d193afc63bdf22636bbbc83549aa5e4710314ba7cd38cd4dd284cbe94c3a0af5e3cc69c833c8460cca871367a24c3035fa04fa0b65c55dc046e9d7

                • C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

                  Filesize

                  728KB

                  MD5

                  3be47d4f6569cbd3ac75ef2d5e657090

                  SHA1

                  02d3196b85caa38a2a9623e46f018b3b5efd712c

                  SHA256

                  63cedadeb0aad6074ef8e0f1ba08dde437cc649cf67cbeb2d808ba5e6bd71552

                  SHA512

                  016e7b90bc88e679cc607ae2279926582a5d9bcf44e8a1e9a9c244f67c39f4d80534716b9fc54e4d4a9f6f46d39fbc18040a32b08b574ff4dd954c9bb8eb7d7f

                • C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

                  Filesize

                  25.7MB

                  MD5

                  aa2153406b19d258cc49c90097368da3

                  SHA1

                  c7a91f346b9d1da66aff021a74554ebab0382183

                  SHA256

                  3ac7e79275e78a2330221a75c9bc2a13b7a5cfe682c9955857901917bd336faf

                  SHA512

                  2308130899ada74c39069743534a8269205d5e17b5cf4c63ebde6b4fd85255380bdad7ff2850ae0c8cb329fd40ac8d1d7304a3cb846c769b152923652e0a10ea

                • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

                  Filesize

                  180KB

                  MD5

                  71417092a1a57359141ef60a20623b6f

                  SHA1

                  0278fcb9608256aed20f66e0e3f24ea9012f98af

                  SHA256

                  bef626b11f01e92627faa3f2733014572a1d834005c2d3a2e7d0f5d37828c5f7

                  SHA512

                  bd9ec45f237e439415dfb35a1aea3293c39240aadff98304efe7aa618d54483d319af34ede167b252348dcf1e860d6ee96cd3282d7445f1c9d2aedb1eba62be4

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                  Filesize

                  2KB

                  MD5

                  d85ba6ff808d9e5444a4b369f5bc2730

                  SHA1

                  31aa9d96590fff6981b315e0b391b575e4c0804a

                  SHA256

                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                  SHA512

                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Filesize

                  944B

                  MD5

                  5f3d606f9a5f1201bfc1f01c54e842c4

                  SHA1

                  f1917e50b557b135953ecbe63e1fc1e675b541f1

                  SHA256

                  dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

                  SHA512

                  d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtfekre0.gdz.ps1

                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                • C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

                  Filesize

                  828B

                  MD5

                  1d976ac9c9d0fab86d3db0697b61f665

                  SHA1

                  91baddfe4cce9ed5a7ef61180eaa51c147c746c7

                  SHA256

                  cbce1ce3c9e29927995732871c0b10adae1fb578c7ec2ddb06c2d12f3591ab95

                  SHA512

                  85b5b653860ad00a4e01d7b10f8b9c680969bc8a92e5a75f5982663e19d6c8656cf7d55cd0a72ac7dd3a1aff3b019ed4f9624adb38d5270b4bc4660c072ab0f5

                • memory/1900-12-0x00000271B7790000-0x00000271B77B2000-memory.dmp

                  Filesize

                  136KB

                • memory/4376-178-0x00007FF888733000-0x00007FF888735000-memory.dmp

                  Filesize

                  8KB

                • memory/4376-1-0x0000000000410000-0x000000000042A000-memory.dmp

                  Filesize

                  104KB

                • memory/4376-214-0x00007FF888730000-0x00007FF8891F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4376-2-0x00007FF888730000-0x00007FF8891F1000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4376-0-0x00007FF888733000-0x00007FF888735000-memory.dmp

                  Filesize

                  8KB

                • memory/4376-536-0x00007FF888730000-0x00007FF8891F1000-memory.dmp

                  Filesize

                  10.8MB