Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 10:46

General

  • Target

    VirusShare_2159f467a156a355c527f8816dc99375.exe

  • Size

    350KB

  • MD5

    2159f467a156a355c527f8816dc99375

  • SHA1

    41dd19f62208901d4dd454d084382dc408fc0bf1

  • SHA256

    2de0e8bfc87c75268fc4dd06971cfa4eaa6ef0703a92b07e8a3d1d78473e2758

  • SHA512

    14eb7a5bae2f09b7a11682689677d4ad61b83a81c0bb64d880d97cd858147ad5362038b3ccf67a7e3958aa06105e71f81b6cab01b01f5edf527efeabaf468874

  • SSDEEP

    6144:zqjAgHiAy4sYQwxmE8r3M9NQbkN4PYITd/FP1i2/ph80vVy98G2fms7L:zXopy41mEaM9+b3PFNFlhTy98G2eqL

Malware Config

Extracted

Path

C:\Program Files\Common Files\DESIGNER\-!RecOveR!-wxdkm++.Txt

Ransom Note
NOT YOUR LANGUAGE? USE https://translate.google.com '+!6*&078)!=&6'6<>5&7$?4('6>2'- ------- '+!6*&078)!=&6'6<>5&7$?4('6>2'- What's the matter with your files? Your data was secured using a strong encryption with RSA-4096. Use the link down below to find additional information on the encryption keys using RSA-4096 https://en.wikipedia.org/wiki/RSA_(cryptosystem) What exactly that means? '+!6*&078)!=&6'6<>5&7$?4('6>2'- ------- '+!6*&078)!=&6'6<>5&7$?4('6>2'- It means that on a structural level your files have been transformed . You won't be able to use , read , see or work with them anymore . In other words they are useless , however , there is possibility to restore them with our help . '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'- What exactly happened to your files ??? !!! Two personal RSA-4096 keys were generated for your PC/Laptop; one key is public, another key is private. !!! All your data and files were encrypted by the means of the public key , which you received over the web . !!! In order to decrypt your data and gain access to your computer you need a private key and a decryption software, which can be found on one of our secret servers. !!! What should you do next ??? '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'- In case you have valuable files , we advise you to act fast as there is no other option rather than paying in order to get back your data. In order to obtain specific instructions , please access your personal homepage by choosing one of the few addresses down below : http://k47d3.proporr.com/225A1510AD1888A7 http://wor4d.slewirk.at/225A1510AD1888A7 http://kbv5s.kylepasse.at/225A1510AD1888A7 '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'- If you can't access your personal homepage or the addresses are not working, complete the following steps: *** Download and Install TOR Browser - http://www.torproject.org/projects/torbrowser.html.en *** Run TOR Browser Insert link in the address bar - yyhn7fpvq44cqcu3.onion/225A1510AD1888A7 '+!6*&078)!=&6'6<>5&7$?4('6>2'-----IMPORTANT*****************INFORMATION---------'+!6*&078)!=&6'6<>5&7$?4('6>2'- Your personal homepages http://k47d3.proporr.com/225A1510AD1888A7 http://wor4d.slewirk.at/225A1510AD1888A7 http://kbv5s.kylepasse.at/225A1510AD1888A7 Your personal homepage Tor-Browser yyhn7fpvq44cqcu3.onion/225A1510AD1888A7 Your personal ID 225A1510AD1888A7 '+!6*&078)!=&6'6<>5&7$?4('6>2'- ----- '+!6*&078)!=&6'6<>5&7$?4('6>2'-
URLs

http://k47d3.proporr.com/225A1510AD1888A7

http://wor4d.slewirk.at/225A1510AD1888A7

http://kbv5s.kylepasse.at/225A1510AD1888A7

http://yyhn7fpvq44cqcu3.onion/225A1510AD1888A7

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_2159f467a156a355c527f8816dc99375.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_2159f467a156a355c527f8816dc99375.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\Documents\cxdrenwgpnxp.exe
      C:\Users\Admin\Documents\cxdrenwgpnxp.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1152
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        3⤵
        • Interacts with shadow copies
        PID:3828
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\-!RecOveR!-wxdkm++.Txt
        3⤵
          PID:1984
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\-!RecOveR!-wxdkm++.Htm
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3432
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff32fc46f8,0x7fff32fc4708,0x7fff32fc4718
            4⤵
              PID:5860
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
              4⤵
                PID:1708
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
                4⤵
                  PID:2412
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
                  4⤵
                    PID:1916
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
                    4⤵
                      PID:5824
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
                      4⤵
                        PID:5404
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
                        4⤵
                          PID:2372
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
                          4⤵
                            PID:1544
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
                            4⤵
                              PID:3356
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
                              4⤵
                                PID:5096
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
                                4⤵
                                  PID:5508
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12151596414465685009,1729401409948047325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                                  4⤵
                                    PID:3272
                                • C:\Windows\System32\vssadmin.exe
                                  "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
                                  3⤵
                                  • Interacts with shadow copies
                                  PID:284
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\DOCUME~1\CXDREN~1.EXE >> NUL
                                  3⤵
                                    PID:2480
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE >> NUL
                                  2⤵
                                    PID:3432
                                • C:\Windows\system32\vssvc.exe
                                  C:\Windows\system32\vssvc.exe
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4876
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:5040
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:4304

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Program Files\Common Files\DESIGNER\-!RecOveR!-wxdkm++.Htm

                                      Filesize

                                      11KB

                                      MD5

                                      ff88c6a0513814d7a9d7bb909438b246

                                      SHA1

                                      a7603d3b4b43a575a7fef2a8f9cd96f76dcd561e

                                      SHA256

                                      5cb8a994fa48d86e46a6e13e1c7aadbbd2bae56fe7fe35523445704fb340aee4

                                      SHA512

                                      53b385b4a00b137cac321e2efee9650b77892500e4f93785fc40e808b8116992836d6e0cf65fe4e1913ae6c430a8e5b1d86359cb902c7836924981758c89490d

                                    • C:\Program Files\Common Files\DESIGNER\-!RecOveR!-wxdkm++.Png

                                      Filesize

                                      74KB

                                      MD5

                                      a43c9793c4778595c047ce18c80c2de6

                                      SHA1

                                      74bf7a67cb130cbc7b3491739d197677e168e079

                                      SHA256

                                      b703ea034092705a15a75c4edc485e158a48c51b8a75211964d810559f8a3958

                                      SHA512

                                      c3e342b60c8b2986627bebf8a25e9039bab894d86f680698873d730bfc8aba8efd80b3cf7c339a00cc28a9c5d73306e354c8b422e29242ae4a62f7ce3b2a0f71

                                    • C:\Program Files\Common Files\DESIGNER\-!RecOveR!-wxdkm++.Txt

                                      Filesize

                                      2KB

                                      MD5

                                      04a78abcb4fdd54866fd45f84935017c

                                      SHA1

                                      dbc7af0b84a790ede24dd50389eca89a446b1b2a

                                      SHA256

                                      fabd82176bde890111e3ac8f0ba2df034d39b8f4e6942a2f1411ebb4bd988dc7

                                      SHA512

                                      2e25cf6ed0b18b5243c14dee1d58ea261b9ddcadf86726ed605977c86f3937d1aaaf834b25a6175f7600fc1df47e3034f23de67a3683c60daf4fdd09f6133402

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      f53207a5ca2ef5c7e976cbb3cb26d870

                                      SHA1

                                      49a8cc44f53da77bb3dfb36fc7676ed54675db43

                                      SHA256

                                      19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

                                      SHA512

                                      be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                      Filesize

                                      152B

                                      MD5

                                      ae54e9db2e89f2c54da8cc0bfcbd26bd

                                      SHA1

                                      a88af6c673609ecbc51a1a60dfbc8577830d2b5d

                                      SHA256

                                      5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

                                      SHA512

                                      e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      5KB

                                      MD5

                                      7415ceb2db0c47350c7766b93732d6f1

                                      SHA1

                                      72cf10767fb039818f217c1a1ee001503d24dce7

                                      SHA256

                                      be55b3f9777ed447d5afe0fb11209d50ed73f6a8fc63f5d9fd76a0d6addb885d

                                      SHA512

                                      70db07bd573bf6a8b4852432e7034b31fee08f0bde29cd5149f42ca180db92789462473f98bb3f11a24a2d1c4f4e8c8a6f0604aeb351509025b2fc2a7ae8fa5e

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                      Filesize

                                      6KB

                                      MD5

                                      64c013804413687992cc392c4995e2fe

                                      SHA1

                                      cc85b958ffe733656dede61de3c737a8a19b5db3

                                      SHA256

                                      0d81675d672d468c5cd9b8ecf756a67a5fc5ee77ea9aec8c93dbc2a22f8d8dc8

                                      SHA512

                                      c530742abdb35b2bc739de4fb89ce8e19bdd1a83a3abd7946ac171cdfedfc8895943092b463f95a7ed607f200dd02b2f81b27f993ac8b6dcc18e38e9d13f72f0

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                      Filesize

                                      16B

                                      MD5

                                      6752a1d65b201c13b62ea44016eb221f

                                      SHA1

                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                      SHA256

                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                      SHA512

                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                      Filesize

                                      10KB

                                      MD5

                                      fbcada45d57256a37e7811afa8598694

                                      SHA1

                                      ee15b17182c377023f8c4276c8b2df6f1f7ee7f9

                                      SHA256

                                      2472620c5392d0c538bd0f06a3199a9affee2c40f10c4a41f83d2904bc01c47a

                                      SHA512

                                      3cec60353d6b51843d0e65aed8e0747a0ec2588e852d84389297b95d62604630537799123d41bd32660051651e8e1a546fa5f8f7b58189f5f1dbe16cf59b09dd

                                    • C:\Users\Admin\Documents\cxdrenwgpnxp.exe

                                      Filesize

                                      350KB

                                      MD5

                                      2159f467a156a355c527f8816dc99375

                                      SHA1

                                      41dd19f62208901d4dd454d084382dc408fc0bf1

                                      SHA256

                                      2de0e8bfc87c75268fc4dd06971cfa4eaa6ef0703a92b07e8a3d1d78473e2758

                                      SHA512

                                      14eb7a5bae2f09b7a11682689677d4ad61b83a81c0bb64d880d97cd858147ad5362038b3ccf67a7e3958aa06105e71f81b6cab01b01f5edf527efeabaf468874

                                    • memory/1036-14-0x00000000745D0000-0x0000000074609000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/1036-13-0x0000000002120000-0x00000000021A9000-memory.dmp

                                      Filesize

                                      548KB

                                    • memory/1036-2-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB

                                    • memory/1036-3-0x00000000745D0000-0x0000000074609000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/1036-12-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB

                                    • memory/1036-0-0x0000000002120000-0x00000000021A9000-memory.dmp

                                      Filesize

                                      548KB

                                    • memory/1152-9208-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB

                                    • memory/1152-15-0x00000000745D0000-0x0000000074609000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/1152-9451-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB

                                    • memory/1152-1809-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB

                                    • memory/1152-9495-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB

                                    • memory/1152-9496-0x00000000745D0000-0x0000000074609000-memory.dmp

                                      Filesize

                                      228KB

                                    • memory/1152-11-0x00000000020D0000-0x0000000002159000-memory.dmp

                                      Filesize

                                      548KB

                                    • memory/1152-6629-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB

                                    • memory/1152-3853-0x0000000000400000-0x00000000004B8000-memory.dmp

                                      Filesize

                                      736KB