Overview

overview

10

Static

static

3

226c69fbd8...cb.exe

windows7-x64

10

226c69fbd8...cb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2023 10:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    226c69fbd80993cd5f17f696aa924bcb.exe

  • Size

    782KB

  • MD5

    226c69fbd80993cd5f17f696aa924bcb

  • SHA1

    1aa0bf6a2470de52934be70d329a3e80e00fbd0b

  • SHA256

    2cfd30a7982b90be60f83fe5f4132999ac50d0d63d9681d8d50c3c8271faa34b

  • SHA512

    cf55ad1be4e88305b33cc48385c1f3e0581bbcc89a6f679b3905205fe55bea21c814dd13736e0cd9a4873757ebd8c0359a70e02df2fd6ef67415a3b76b70ebaf

  • SSDEEP

    12288:nhnPdo71+rsm5svWgNt6pAes0MiwLg2kLpkXfrfaEyC6gG5kmtcM0JIM1EdMEAL1:58ism5svWgufpkXfrfaEH07YIO0aL0w

Score
10/10
phobosevasionpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>0015C425-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Extracted

Path

C:\users\public\desktop\info.hta

Ransom Note
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] Or write us to the Tox: 78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074 Write this ID in the title of your message 0015C425-3483 You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (311) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe
    "C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe
      C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe
        "C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2304
        • C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe
          C:\Users\Admin\AppData\Local\Temp\226c69fbd80993cd5f17f696aa924bcb.exe
          4⤵
            PID:1084
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            4⤵
            • Modifies Windows Firewall
            PID:2552
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            4⤵
            • Modifies Windows Firewall
            PID:568
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:2532
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1488
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2660
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1612
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:1876
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
          3⤵
          • Modifies Internet Explorer settings
          PID:2868
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
          3⤵
          • Modifies Internet Explorer settings
          PID:2104
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
          3⤵
          • Modifies Internet Explorer settings
          PID:856
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
          3⤵
          • Modifies Internet Explorer settings
          PID:1896
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
            PID:3068
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:3056
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2612
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:1520
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:3048
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              4⤵
              • Deletes backup catalog
              PID:2536
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1648
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:2400
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
            PID:1940

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Indicator Removal

          3
          T1070

          File Deletion

          3
          T1070.004

          Modify Registry

          2
          T1112

          Credential Access

          Unsecured Credentials

          1
          T1552

          Credentials In Files

          1
          T1552.001

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Command and Control

          Exfiltration

          Impact

          Inhibit System Recovery

          4
          T1490

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[0015C425-3483].[[email protected]].8base
            Filesize

            143.1MB

            MD5

            01051b3615bf5d68c6cdda2270c6e2e1

            SHA1

            2fb22507b21b6154503cf509ba00ea23fd79a31c

            SHA256

            ad92394bae77c05bb84079c87e24556c331f958519ba05b999d3acafe044a0ea

            SHA512

            e0609b0f4937f33a13a8a6820be9911dd66faf168ce4e76540f7f830d5e49e9d1d7b518c4d84741e2767bd4053c32f04670ea6fbbbc426cdac14c2d1a3c577fb

            Download Submit

          • C:\Users\Admin\Desktop\info.hta
            Filesize

            5KB

            MD5

            dc02ae91a061f14304f9b0c1226620a1

            SHA1

            5a21e6868b03591f3ff6972bf8232e65f55f26c6

            SHA256

            1eea17118242dbc760c97e0dbcba1e09f272f407b1cadf7ec097fcd17e01521d

            SHA512

            c129c929aa27ce1359a204ba4d2b6b5656d8b9c992ca48d3e2655d6059884c5249ae380250b131774ed33b7c318f036dd935bbf379262da7bb52ae465516145f

            Download Submit

          • C:\info.hta
            Filesize

            5KB

            MD5

            dc02ae91a061f14304f9b0c1226620a1

            SHA1

            5a21e6868b03591f3ff6972bf8232e65f55f26c6

            SHA256

            1eea17118242dbc760c97e0dbcba1e09f272f407b1cadf7ec097fcd17e01521d

            SHA512

            c129c929aa27ce1359a204ba4d2b6b5656d8b9c992ca48d3e2655d6059884c5249ae380250b131774ed33b7c318f036dd935bbf379262da7bb52ae465516145f

            Download Submit

          • C:\info.hta
            Filesize

            5KB

            MD5

            dc02ae91a061f14304f9b0c1226620a1

            SHA1

            5a21e6868b03591f3ff6972bf8232e65f55f26c6

            SHA256

            1eea17118242dbc760c97e0dbcba1e09f272f407b1cadf7ec097fcd17e01521d

            SHA512

            c129c929aa27ce1359a204ba4d2b6b5656d8b9c992ca48d3e2655d6059884c5249ae380250b131774ed33b7c318f036dd935bbf379262da7bb52ae465516145f

            Download Submit

          • C:\users\public\desktop\info.hta
            Filesize

            5KB

            MD5

            dc02ae91a061f14304f9b0c1226620a1

            SHA1

            5a21e6868b03591f3ff6972bf8232e65f55f26c6

            SHA256

            1eea17118242dbc760c97e0dbcba1e09f272f407b1cadf7ec097fcd17e01521d

            SHA512

            c129c929aa27ce1359a204ba4d2b6b5656d8b9c992ca48d3e2655d6059884c5249ae380250b131774ed33b7c318f036dd935bbf379262da7bb52ae465516145f

            Download Submit

          • F:\info.hta
            Filesize

            5KB

            MD5

            dc02ae91a061f14304f9b0c1226620a1

            SHA1

            5a21e6868b03591f3ff6972bf8232e65f55f26c6

            SHA256

            1eea17118242dbc760c97e0dbcba1e09f272f407b1cadf7ec097fcd17e01521d

            SHA512

            c129c929aa27ce1359a204ba4d2b6b5656d8b9c992ca48d3e2655d6059884c5249ae380250b131774ed33b7c318f036dd935bbf379262da7bb52ae465516145f

            Download Submit

          • memory/1084-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1084-42-0x0000000000401000-0x000000000040A000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2064-0-0x0000000001030000-0x00000000010FA000-memory.dmp

            Filesize

            808KB

            Download

          • memory/2064-6-0x0000000000C00000-0x0000000000C4C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2064-5-0x0000000000AC0000-0x0000000000AF4000-memory.dmp

            Filesize

            208KB

            Download

          • memory/2064-4-0x0000000000A00000-0x0000000000A46000-memory.dmp

            Filesize

            280KB

            Download

          • memory/2064-3-0x0000000000200000-0x000000000024E000-memory.dmp

            Filesize

            312KB

            Download

          • memory/2064-2-0x0000000004A40000-0x0000000004A80000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2064-17-0x0000000074770000-0x0000000074E5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2064-1-0x0000000074770000-0x0000000074E5E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2304-23-0x00000000006B0000-0x00000000006F6000-memory.dmp

            Filesize

            280KB

            Download

          • memory/2304-40-0x0000000074080000-0x000000007476E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2304-20-0x0000000074080000-0x000000007476E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2304-21-0x0000000001030000-0x00000000010FA000-memory.dmp

            Filesize

            808KB

            Download

          • memory/2304-22-0x0000000004AE0000-0x0000000004B20000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2416-10-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-71-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-18-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-15-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-52-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-54-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-55-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-56-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-57-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-58-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-77-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-19-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2416-86-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-83-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-97-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-282-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-12-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-11-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-9-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-8-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2416-7-0x0000000000400000-0x0000000000413000-memory.dmp

            Filesize

            76KB

            Download