Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    29-10-2021 12:20

General

  • Target

    c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe

  • Size

    106KB

  • MD5

    af745cf9bbc68f8652678a1299abb68d

  • SHA1

    cd4793e42b0a27b2d73bc558d2d01842f73311e4

  • SHA256

    c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f

  • SHA512

    22fdaa9a782c1e3c08b0403dee317ccb441eec6c461a7b3372e184c557ba7721ab62412a161a9b33ee96fe4f8240ccc1f5142bfa76a14b2001b73a113ff018fd

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\decrypt_info.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file decrypt_info ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! =============================================================================================================== Key Identifier: Kdtcq+s7UnqgqmU2Yljc1sBuT2AavRO7NU7XxHQRkemES+V4oLQTpIlZpXH3ywu/JJTfMRgX+ZmQUqiMobjFqv2/1xkkBEso8ZxlEAAfI2HrRGh28n/uXHmU0KyL1cXsAaUGBnK2nBXkIcYCz8ELa+C/x0vaORuk5oeBjI/KemRWBHr+fuWP8aJLYj77dWfPFyaiAzn/rgWrGv/kSCYAJBKiswPosemR6WhNO1nxPLWWg9nv7PNUm0aQTPY9TNvGsfvND7Raj4TxdKuEI6us3yB5sLK0XbzXp7kRx1Xo3Bmk9Ss0W0QKZfZW094WelH7RjoOfz0k3vlJ5QNTm4UmzmW1DOaYqTf8Y/dK6lOzuFoyNtC/FPj/lu4XixDO4mp7q75f5F5R7CnoXPwEaOaEKYeWr0iQnfyM9qhYyRS52Tpaj45ZkdOcUEfLlB20ZDVNSAiVYSZANp5axMAFDDAYo6t82p9137Ki+jA66ffKgZbRpbrxPSqK2kZQBiGPe71Ir+cGEWLo2G+f4NV62VgAd1aZQj+GedC5GcoSZEVlJJh1IQHUovcLuN05yB6BOE9uYc1dj6OnPHUVGkRgDM55CvOasOiw3Q2RrT0VI9pIrzKcWovruL6YClI4CVeLTdev7b2GQAbqZsEqo85TWJLpam4GLxIfW746m1DwKAlg7N4= PC Hardware ID: DA5D582B

Extracted

Path

C:\Users\Admin\Desktop\decrypt_info.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file decrypt_info ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! =============================================================================================================== Key Identifier: Kdtcq+s7UnqgqmU2Yljc1sBuT2AavRO7NU7XxHQRkemES+V4oLQTpIlZpXH3ywu/JJTfMRgX+ZmQUqiMobjFqv2/1xkkBEso8ZxlEAAfI2HrRGh28n/uXHmU0KyL1cXsAaUGBnK2nBXkIcYCz8ELa+C/x0vaORuk5oeBjI/KemRWBHr+fuWP8aJLYj77dWfPFyaiAzn/rgWrGv/kSCYAJBKiswPosemR6WhNO1nxPLWWg9nv7PNUm0aQTPY9TNvGsfvND7Raj4TxdKuEI6us3yB5sLK0XbzXp7kRx1Xo3Bmk9Ss0W0QKZfZW094WelH7RjoOfz0k3vlJ5QNTm4UmzmW1DOaYqTf8Y/dK6lOzuFoyNtC/FPj/lu4XixDO4mp7q75f5F5R7CnoXPwEaOaEKYeWr0iQnfyM9qhYyRS52Tpaj45ZkdOcUEfLlB20ZDVNSAiVYSZANp5axMAFDDAYo6t82p9137Ki+jA66ffKgZbRpbrxPSqK2kZQBiGPe71Ir+cGEWLo2G+f4NV62VgAd1aZQj+GedC5GcoSZEVlJJh1IQHUovcLuN05yB6BOE9uYc1dj6OnPHUVGkRgDM55CvOasOiw3Q2RrT0VI9pIrzKcWovruL6YClI4CVeLTdev7b2GQAbqZsEqo85TWJLpam4GLxIfW746m1DwKAlg7N4= Number of files that were processed is: 1840 PC Hardware ID: DA5D582B

Signatures

  • Modifies Windows Firewall 1 TTPs
  • Drops startup file 1 IoCs
  • Drops desktop.ini file(s) 3 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 36 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 48 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
    "C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe"
    1⤵
    • Drops startup file
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2680
    • C:\Windows\SysWOW64\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2900
    • C:\Windows\SysWOW64\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:2380
      • C:\Windows\SysWOW64\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:2664
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:3936
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
          2⤵
          • Drops file in Windows directory
          PID:3412
        • C:\Windows\SysWOW64\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
            PID:3680
          • C:\Windows\SysWOW64\sc.exe
            "sc.exe" config FDResPub start= auto
            2⤵
              PID:2828
            • C:\Windows\SysWOW64\sc.exe
              "sc.exe" config SQLTELEMETRY start= disabled
              2⤵
                PID:4052
              • C:\Windows\SysWOW64\sc.exe
                "sc.exe" config SSDPSRV start= auto
                2⤵
                  PID:892
                • C:\Windows\SysWOW64\sc.exe
                  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
                  2⤵
                    PID:2408
                  • C:\Windows\SysWOW64\sc.exe
                    "sc.exe" config SstpSvc start= disabled
                    2⤵
                      PID:3036
                    • C:\Windows\SysWOW64\sc.exe
                      "sc.exe" config upnphost start= auto
                      2⤵
                        PID:1144
                      • C:\Windows\SysWOW64\sc.exe
                        "sc.exe" config SQLWriter start= disabled
                        2⤵
                          PID:956
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mspub.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2936
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mspub.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1512
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM synctime.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2992
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopqos.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2264
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3972
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM Ntrtscan.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2252
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM isqlplussvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1424
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqbcoreservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1996
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2480
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM firefoxconfig.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2200
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM encsvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:364
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM onenote.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3176
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM tbirdconfig.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1724
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM PccNTMon.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3324
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM excel.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1012
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM agntsvc.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2652
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM dbeng50.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3260
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM msaccess.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:652
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM thebat64.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:832
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM thebat.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2332
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM CNTAoSMgr.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3948
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocomm.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1352
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM outlook.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1488
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlwriter.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2360
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM steam.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1760
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" IM thunderbird.exe /F
                          2⤵
                          • Kills process with taskkill
                          PID:2524
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM tmlisten.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:872
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM infopath.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1900
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM wordpad.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3576
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM dbsnmp.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2816
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM msftesql.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3792
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mbamtray.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3992
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld-opt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3748
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM xfssvccon.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2380
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM powerpnt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1996
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM zoolz.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3456
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocautoupds.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2608
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopqos.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1176
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM ocssd.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2840
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM visio.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2060
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM oracle.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2312
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mydesktopservice.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1192
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlagent.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3152
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM winword.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1656
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlbrowser.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3756
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM mysqld-nt.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1992
                        • C:\Windows\SysWOW64\taskkill.exe
                          "taskkill.exe" /IM sqlservr.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3188
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
                          2⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4032
                        • C:\Windows\SysWOW64\netsh.exe
                          "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
                          2⤵
                            PID:2948
                          • C:\Windows\SysWOW64\arp.exe
                            "arp" -a
                            2⤵
                              PID:3036
                            • C:\Windows\SysWOW64\cmd.exe
                              "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
                              2⤵
                                PID:3904
                              • C:\Windows\SysWOW64\notepad.exe
                                "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\decrypt_info.txt
                                2⤵
                                • Opens file in notepad (likely ransom note)
                                PID:3808
                              • C:\Windows\SysWOW64\cmd.exe
                                "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
                                2⤵
                                  PID:3800
                                  • C:\Windows\SysWOW64\PING.EXE
                                    ping 127.0.0.7 -n 3
                                    3⤵
                                    • Runs ping.exe
                                    PID:2764
                                  • C:\Windows\SysWOW64\fsutil.exe
                                    fsutil file setZeroData offset=0 length=524288 “%s”
                                    3⤵
                                      PID:2312
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\c6d7c39e83f12684cc9341305044fb03a61d23876d37746d96d31a9191bacb8f.exe
                                    2⤵
                                      PID:3772
                                      • C:\Windows\SysWOW64\choice.exe
                                        choice /C Y /N /D Y /T 3
                                        3⤵
                                          PID:516

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/2680-118-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2680-115-0x0000000000210000-0x0000000000211000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/2680-117-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-183-0x0000000004620000-0x0000000004621000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-182-0x00000000046C0000-0x00000000046C1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-185-0x0000000007090000-0x0000000007091000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-181-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-187-0x00000000046C2000-0x00000000046C3000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-188-0x00000000078A0000-0x00000000078A1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-189-0x0000000007730000-0x0000000007731000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-191-0x0000000007A80000-0x0000000007A81000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-192-0x0000000007A40000-0x0000000007A41000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-193-0x00000000082E0000-0x00000000082E1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-194-0x0000000008190000-0x0000000008191000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-195-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-205-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-206-0x00000000046C3000-0x00000000046C4000-memory.dmp

                                      Filesize

                                      4KB

                                    • memory/4032-207-0x00000000046C4000-0x00000000046C6000-memory.dmp

                                      Filesize

                                      8KB

                                    • memory/4032-180-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                                      Filesize

                                      4KB