Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/06/2024, 11:37

General

  • Target

    VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe

  • Size

    368KB

  • MD5

    5885d072fb73bdd355e85b67bcde3bfd

  • SHA1

    538b93b18131e4d9de79f87f6b156c2d46895045

  • SHA256

    d3f5990770291c25a4ff14e8a6fe033f7ad1689c6206ed41eb7ed253a1c2c348

  • SHA512

    7da4dbbb0c98cd2ad56ffe28a23ed67e66583a0822e0e16aadfa102447d7a22acbd9e526fc9a9ee3ecae68389b02e12347182a64829cd762559ed083ee94882e

  • SSDEEP

    6144:iQNUdPR6oncUtPLJoJi8ju8FQNXsyR36GeHba2grj9F4SENppTUHtnvR3aF3J9PQ:XNUdc6wA8P2cyF6T7a2gH9F4dzhUl6rP

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cnfuw.txt

Ransom Note
__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. !!! Decrypting of your files is only possible with the help of the private key and decrypt program , which is on our Secret Server What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/4E62CBE897AFC44E 2. http://b4youfred5485jgsa3453f.italazudda.com/4E62CBE897AFC44E 3. http://5rport45vcdef345adfkksawe.bematvocal.at/4E62CBE897AFC44E If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization 3. Type in the address bar: fwgrhsao3aoml7ej.onion/4E62CBE897AFC44E 4. Follow the instructions on the site. ---------------- IMPORTANT INFORMATION------------------------ *-*-* Your personal pages: http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/4E62CBE897AFC44E http://b4youfred5485jgsa3453f.italazudda.com/4E62CBE897AFC44E http://5rport45vcdef345adfkksawe.bematvocal.at/4E62CBE897AFC44E *-*-* Your personal page Tor-Browser: fwgrhsao3aoml7ej.ONION/4E62CBE897AFC44E *-*-* Your personal identification ID: 4E62CBE897AFC44E
URLs

http://prest54538hnksjn4kjfwdbhwere.hotchunman.com/4E62CBE897AFC44E

http://b4youfred5485jgsa3453f.italazudda.com/4E62CBE897AFC44E

http://5rport45vcdef345adfkksawe.bematvocal.at/4E62CBE897AFC44E

http://fwgrhsao3aoml7ej.onion/4E62CBE897AFC44E

http://fwgrhsao3aoml7ej.ONION/4E62CBE897AFC44E

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (425) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes itself 1 IoCs
  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
    "C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe
      "C:\Users\Admin\AppData\Local\Temp\VirusShare_5885d072fb73bdd355e85b67bcde3bfd.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\toweqsyjejbl.exe
        C:\Windows\toweqsyjejbl.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2396
        • C:\Windows\toweqsyjejbl.exe
          C:\Windows\toweqsyjejbl.exe
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1580
          • C:\Windows\System32\wbem\WMIC.exe
            "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2300
          • C:\Windows\SysWOW64\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RECOVERY.TXT
            5⤵
            • Opens file in notepad (likely ransom note)
            PID:2040
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\RECOVERY.HTM
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1664
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2464
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c DEL C:\Windows\TOWEQS~1.EXE
            5⤵
              PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\VIRUSS~1.EXE
          3⤵
          • Deletes itself
          PID:2332
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:1936

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cnfuw.html

      Filesize

      8KB

      MD5

      0027bbf153ca14d8bebb4aae349fe33c

      SHA1

      0b08c29ccf19b71220dc5de721c645270082bdc3

      SHA256

      5841a046ca05242c725458786f5fcb0528609c24dc6151dd9ab6a12436729d45

      SHA512

      5abdae0b3dc82ac088d7b55f7de4049f407b0af899d6d13e4f7ff58e8e5a42a5ca2563a8c5a72e9a1e63302510194bb188adbff05c4ad770e329c0e42056b9c2

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cnfuw.png

      Filesize

      68KB

      MD5

      90e2392070f0962e12f9daedbc536a42

      SHA1

      489e504e8f2b0fd5c7302048c44903ae9aff1dd6

      SHA256

      d172adbd4a983bc10f72264c34e0b34adb08df8f10575d171fc595f6339ccef3

      SHA512

      80f75f03d8c14ff4417d2927f89fcbfb21c12eefe82a22f5d75fee8d5967997dcc507329bd1738fcdd3d408c9864051556341918a1a24413a7e64ee1e1a5ad5f

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Recovery+cnfuw.txt

      Filesize

      2KB

      MD5

      5791ee490b1a1923296fabb526ce5f49

      SHA1

      4887034b550d0e0897d9994dc438b4a9de1af72f

      SHA256

      0a6763933988ed9769a35b443bb07c25f9d51780f1743a3536c37bc6d6521539

      SHA512

      5f23190c31a587b1577985629bf5c293f0166482fdd9e0275d56d35fd3be68ee4d7201ddb74129d63c3dbe6fc60d5d6f9d8952a40ea14d1f8c172f0bdbfd1f01

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

      Filesize

      11KB

      MD5

      fc0f2eb6b563dfe998c13cdd458869ad

      SHA1

      3633f827fca2182b9de863548d60e7d52f0952b8

      SHA256

      e394dfbf721029c59f9f9c194a4b48259c9e46254c20b58767ede059406ffdba

      SHA512

      a7a889b8f4f5386f2a18457ffebf1a5dfd7268b21ab34cc69674450d5f483e3ba491933ab881f5f3bfd4e6e0bd72f924ec13155360f3bdee160601630a82177b

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

      Filesize

      109KB

      MD5

      adea1563899592740c3af98d03ee939a

      SHA1

      4d485b031a01cee60b931e60fbab00ae6424b505

      SHA256

      39f3613793a8644db8a19d92c0896e27d6ba3c1247e222d57f6bd388ff60084f

      SHA512

      45ba8ea94c1dcb439fe7aa5d96d43accc92ab390be22fb17cc2f49ad346dcdd28b149cb4700e0590b2caf8776ac214d4e2f306c0b91b916d5a34bcc97333dc06

    • C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

      Filesize

      173KB

      MD5

      8c10c247840fa74b728e65f368b5b2c6

      SHA1

      ecadf9602752c553a71d23a5491df68a71d69a79

      SHA256

      6fa8bd34c410fa1d6df67aa12f15f36bce15912e96d102a24a1d0f9848bdc5b6

      SHA512

      b5749073f2b49b01493a8b7ee2115aac95e6bd4d9dc01f4bb9580c76bff9651eff9a0bc74d967f22053529690f34a71769f69003b22d23ac9f1c168df889e34e

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      98ffe04c9ea11ad4eedd30d1dbc84df0

      SHA1

      4420faa049ad5f61e7908a83d3499b7b86a7e8f6

      SHA256

      8adeb9620b25bd7329d8f759417d856b4b6f31847927d49d2caaad27427b0c7e

      SHA512

      2e8ec8880dd956bda206b14473c885d2851d961173f38b9d33e8865e3fbe2ad8b42949b9a32ea443812a844054367c1c5bc60b58438d57e95815ef77db1b372f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      2e8a8eaf7138725ad25ea36f485a7bf0

      SHA1

      ac2b121f094d95ce73f92a90f924b9364478d4dd

      SHA256

      816c597936ee406d8826472f4fb5ce4a6b16dac9d30c28e27d93ff6f268d1362

      SHA512

      81ce06ac582a5bab9c61614ba12270126ea031981be99d6ec9d5f970ce964fa6635ad095e9bcb17d2aabc324f6843698cd861ac833d7ebdaa608bb4547d6683c

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      9ffb233744c5ce454829b07a6f2639d1

      SHA1

      f163286f76bdeb5bdcc47b6c1b2bbc133aa9a113

      SHA256

      5d3b723a77885b9a68613895ee3000240a279fb0afaeb12727e80ed7bf01f7ed

      SHA512

      aba28d891c9ce96f73d6c60b59e0be8f678b3b9fa1e7bbc6664a20fba6ddd13098ec4c153443181621fc100ecb58538280f661d983e70063a4b52d3f289e797f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      05ab4667dcb7c3eb7b79ecc49f6916c4

      SHA1

      a43ce521f266a7074deebf2ac52543efacd55ad5

      SHA256

      9f79e995774678fc1406ce2cc6a87d5421a032acf8e4645ba1181b2d02b2ae56

      SHA512

      5eb85eec79c98ab1e690f3c946a55224ab8044d51d1b8ff31fd383362b1bc900c17ff4bea4cbd5c6d9a948102d7f86dbcde2325f4bebcc8479e6a051179e234f

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      ff00be4b49f68a8b2f0c1682d8aa990d

      SHA1

      139f0d506e58099888262ef42e5a98df1c641250

      SHA256

      80244b4809c8911ae22ff9eb94b7f23588b25735e55bc530a013b4c932418958

      SHA512

      e9a76b57f1611f8d0978194c9617f6c54a974cbeae38022527d831968976e668d054034641232932c71c9b1b84c87a2f62c369efa1098f3a9c7adbd0aad23ffb

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      fb5bd938f9a6f127aeed70c90b575f59

      SHA1

      126b2ae976ba635aaf48fa6a9fe0be62687cd536

      SHA256

      9f8e1a942128df45ffb7dba745a7740185e67337700ad283e41c9154f8d690bf

      SHA512

      4401d9dec92e813745464042080e927ba14a3109d232a2516ab73344f16c382d6511acf05842d20aceb1859b71fd4cb0e1e4c8c47c8da78d68b3712fabf992f1

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      086a2ec0f153805d35cac6ca583aa79e

      SHA1

      90997f38a3058f53fce9fa133226389eb7c58c70

      SHA256

      fbeff7d1657da0ca4b30a9ee17a42c4723fbae71f9eca1a5bd426739fbac0449

      SHA512

      9cfb4b6973552f8d4b0356b4dd99bfea79bd27e7799987991a617e016d9bd8683f9154dc8f131c6f5847c2e2cb7c149f8fc14341d67058d233d6af144025a6b3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      8fac01d590db44b19d2fd0e27c68d035

      SHA1

      67766520edad996112f7d67e606061fa4a56c05d

      SHA256

      558fdd57fa412215611a16162ae90333958f2d150ef42609482f6e9b48fa76c2

      SHA512

      142e7de523e9e620a8501fcf3ce9a8651e8a53da0e70fa29ec5b2fdfcf34dec7fb0941d3031f7f4a3e3f5d7e9f311a88fb9bd03bd612fd0b3a8fbf1f9c2c6143

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

      Filesize

      342B

      MD5

      adf5a209985b9054687a5a86b3d22085

      SHA1

      d747b97d04d005866a55fc63dee2a32195d8e403

      SHA256

      6042c2562a1b652c3e1ff06c2e752aec5a2b717b65c42298d3b08dd8938512a8

      SHA512

      a89bfc81383b9b5abe29ff181d004d867872470ab66e1f5d169695d7f3fa6352ea2affede108b64ae88082d5da6475a2d4d5ad677cdc9a135f3a2160a078baa0

    • C:\Users\Admin\AppData\Local\Temp\Cab9225.tmp

      Filesize

      65KB

      MD5

      ac05d27423a85adc1622c714f2cb6184

      SHA1

      b0fe2b1abddb97837ea0195be70ab2ff14d43198

      SHA256

      c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

      SHA512

      6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    • C:\Users\Admin\AppData\Local\Temp\Tar9325.tmp

      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    • C:\Windows\toweqsyjejbl.exe

      Filesize

      368KB

      MD5

      5885d072fb73bdd355e85b67bcde3bfd

      SHA1

      538b93b18131e4d9de79f87f6b156c2d46895045

      SHA256

      d3f5990770291c25a4ff14e8a6fe033f7ad1689c6206ed41eb7ed253a1c2c348

      SHA512

      7da4dbbb0c98cd2ad56ffe28a23ed67e66583a0822e0e16aadfa102447d7a22acbd9e526fc9a9ee3ecae68389b02e12347182a64829cd762559ed083ee94882e

    • memory/1580-6443-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-4430-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-53-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-50-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-52-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-883-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-6439-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-56-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-57-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-6025-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-1871-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-6014-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1580-6020-0x0000000002B80000-0x0000000002B82000-memory.dmp

      Filesize

      8KB

    • memory/1580-6022-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/1936-6021-0x0000000000160000-0x0000000000162000-memory.dmp

      Filesize

      8KB

    • memory/2100-17-0x0000000000270000-0x0000000000273000-memory.dmp

      Filesize

      12KB

    • memory/2100-0-0x0000000000270000-0x0000000000273000-memory.dmp

      Filesize

      12KB

    • memory/2100-1-0x0000000000270000-0x0000000000273000-memory.dmp

      Filesize

      12KB

    • memory/2396-31-0x0000000000400000-0x00000000005AF000-memory.dmp

      Filesize

      1.7MB

    • memory/2396-51-0x0000000000400000-0x00000000005AF000-memory.dmp

      Filesize

      1.7MB

    • memory/2840-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2840-16-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-6-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-8-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-19-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-5-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-10-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-2-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-20-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB

    • memory/2840-30-0x0000000000400000-0x0000000000485000-memory.dmp

      Filesize

      532KB