Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    06-10-2023 05:38

General

  • Target

    ecdf7acb35e4268bcafb03b8af12f659.exe

  • Size

    686KB

  • MD5

    ecdf7acb35e4268bcafb03b8af12f659

  • SHA1

    93b0d892bd3fbb7d3d9efb69fffdc060159d4536

  • SHA256

    c0539fd02ca0184925a932a9e926c681dc9c81b5de4624250f2dd885ca5c4763

  • SHA512

    5cd325c7a0a47921e940480c4e3f983b5b56a2906639e6f2a67d3264e039f06034d286f68e36a1b1ae7642d1ac0e274283d5d45381cede14ba83177355f1017d

  • SSDEEP

    12288:UzRlcffXwJsWFAFnjJPQJq+6byL3z5SjMa1jkSC9U:ujB0JYcAa1S

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>7653C5C8-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message 7653C5C8-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
  • Renames multiple (325) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies Windows Firewall 1 TTPs 2 IoCs
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
    "C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
      C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
      2⤵
        PID:2992
      • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
        C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
        2⤵
        • Drops startup file
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
          "C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
            C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
            4⤵
              PID:2444
            • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
              C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
              4⤵
                PID:2864
              • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
                C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
                4⤵
                  PID:3000
                • C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
                  C:\Users\Admin\AppData\Local\Temp\ecdf7acb35e4268bcafb03b8af12f659.exe
                  4⤵
                    PID:1696
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2516
                  • C:\Windows\system32\netsh.exe
                    netsh advfirewall set currentprofile state off
                    4⤵
                    • Modifies Windows Firewall
                    PID:2108
                  • C:\Windows\system32\netsh.exe
                    netsh firewall set opmode mode=disable
                    4⤵
                    • Modifies Windows Firewall
                    PID:2376
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2380
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin delete shadows /all /quiet
                    4⤵
                    • Interacts with shadow copies
                    PID:332
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic shadowcopy delete
                    4⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:524
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} bootstatuspolicy ignoreallfailures
                    4⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1780
                  • C:\Windows\system32\bcdedit.exe
                    bcdedit /set {default} recoveryenabled no
                    4⤵
                    • Modifies boot configuration data using bcdedit
                    PID:1684
                  • C:\Windows\system32\wbadmin.exe
                    wbadmin delete catalog -quiet
                    4⤵
                    • Deletes backup catalog
                    PID:2180
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
                  3⤵
                  • Modifies Internet Explorer settings
                  PID:112
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
                  3⤵
                  • Modifies Internet Explorer settings
                  PID:2684
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
                  3⤵
                  • Modifies Internet Explorer settings
                  PID:2224
                • C:\Windows\SysWOW64\mshta.exe
                  "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
                  3⤵
                  • Modifies Internet Explorer settings
                  PID:3000
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  3⤵
                    PID:2600
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin delete shadows /all /quiet
                      4⤵
                      • Interacts with shadow copies
                      PID:2744
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic shadowcopy delete
                      4⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2456
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} bootstatuspolicy ignoreallfailures
                      4⤵
                      • Modifies boot configuration data using bcdedit
                      PID:2752
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} recoveryenabled no
                      4⤵
                      • Modifies boot configuration data using bcdedit
                      PID:932
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete catalog -quiet
                      4⤵
                      • Deletes backup catalog
                      PID:2632
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2628
              • C:\Windows\system32\wbengine.exe
                "C:\Windows\system32\wbengine.exe"
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2836
              • C:\Windows\System32\vdsldr.exe
                C:\Windows\System32\vdsldr.exe -Embedding
                1⤵
                  PID:2252
                • C:\Windows\System32\vds.exe
                  C:\Windows\System32\vds.exe
                  1⤵
                    PID:2120

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[7653C5C8-3483].[[email protected]].8base

                    Filesize

                    143.1MB

                    MD5

                    f4042b3ccf70d9883dbe9f370644eff5

                    SHA1

                    489dd6590e98b970e3416826dbf15b5dd6541554

                    SHA256

                    57643f49522ed146e9e9e485a099998cfc4932de19b0b9a6bde3cf48aecd79a0

                    SHA512

                    14ad6329e514d1078e133aceb7162e6cdba9708bc88b5921d29fddbb0902b329ac5d5e8860480123f031af261b317fdda596787dd5467194cdd9aadce722a260

                  • C:\Users\Admin\Desktop\info.hta

                    Filesize

                    5KB

                    MD5

                    c7d91ac039a19bc89d3442539ae1625a

                    SHA1

                    c3879e9dad8320655741013136895d4aaa555f84

                    SHA256

                    79ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd

                    SHA512

                    494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210

                  • C:\info.hta

                    Filesize

                    5KB

                    MD5

                    c7d91ac039a19bc89d3442539ae1625a

                    SHA1

                    c3879e9dad8320655741013136895d4aaa555f84

                    SHA256

                    79ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd

                    SHA512

                    494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210

                  • C:\info.hta

                    Filesize

                    5KB

                    MD5

                    c7d91ac039a19bc89d3442539ae1625a

                    SHA1

                    c3879e9dad8320655741013136895d4aaa555f84

                    SHA256

                    79ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd

                    SHA512

                    494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210

                  • C:\users\public\desktop\info.hta

                    Filesize

                    5KB

                    MD5

                    c7d91ac039a19bc89d3442539ae1625a

                    SHA1

                    c3879e9dad8320655741013136895d4aaa555f84

                    SHA256

                    79ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd

                    SHA512

                    494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210

                  • F:\info.hta

                    Filesize

                    5KB

                    MD5

                    c7d91ac039a19bc89d3442539ae1625a

                    SHA1

                    c3879e9dad8320655741013136895d4aaa555f84

                    SHA256

                    79ac50c02354a27d939437acb82ecece3548c9f86b5bdaad444b4a396a5a1abd

                    SHA512

                    494425ecdb6d2ca90a9598e1e22db90051740d5fe0a507230e86437f7e0ad1b251ca44077b5f187ae6f8a1eafe907128ff588afd566710002038ce227cb7c210

                  • memory/2088-71-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-6-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-8-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-10-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-9-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-11-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/2088-14-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-17-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-16-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-4116-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-4106-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-4089-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-2895-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-274-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-111-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-7-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-66-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-45-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-47-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-50-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-51-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-52-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-53-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-54-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2088-62-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB

                  • memory/2184-5-0x00000000041F0000-0x000000000423C000-memory.dmp

                    Filesize

                    304KB

                  • memory/2184-0-0x0000000074490000-0x0000000074B7E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/2184-1-0x0000000000210000-0x00000000002C2000-memory.dmp

                    Filesize

                    712KB

                  • memory/2184-35-0x0000000074490000-0x0000000074B7E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/2184-2-0x0000000004B80000-0x0000000004BC0000-memory.dmp

                    Filesize

                    256KB

                  • memory/2184-3-0x00000000004A0000-0x00000000004E6000-memory.dmp

                    Filesize

                    280KB

                  • memory/2184-4-0x0000000000A30000-0x0000000000A64000-memory.dmp

                    Filesize

                    208KB

                  • memory/2704-32-0x0000000074440000-0x0000000074B2E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/2704-18-0x0000000000210000-0x00000000002C2000-memory.dmp

                    Filesize

                    712KB

                  • memory/2704-19-0x0000000074440000-0x0000000074B2E000-memory.dmp

                    Filesize

                    6.9MB

                  • memory/2704-20-0x0000000004410000-0x0000000004450000-memory.dmp

                    Filesize

                    256KB

                  • memory/2704-21-0x00000000002D0000-0x0000000000316000-memory.dmp

                    Filesize

                    280KB

                  • memory/2864-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                    Filesize

                    4KB

                  • memory/2864-34-0x0000000000400000-0x0000000000413000-memory.dmp

                    Filesize

                    76KB