Overview

overview

10

Static

static

3

30e90f3306...71.exe

windows7-x64

10

30e90f3306...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-10-2024 18:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe

  • Size

    1.1MB

  • MD5

    fba616f5dc56b1cd9c463c0b9da86578

  • SHA1

    ac2b9c5c34af3894210852c7199a32dcd96c048c

  • SHA256

    30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971

  • SHA512

    7e6c8b01308310a7f13bb3891a166eced2d15057ffa1d3b296058d9420ac46cb39abc272d4883bb2168b00d04a34fe674ef6085776b618a46913854421484cd5

  • SSDEEP

    12288:6YFxm3mFshWQKt/kzc8MDz311UVZi/MBJ+z4YTwSPFOXXBumgKGYwhm0XPie4LnM:NrPFYW/x19/MGxPGAmQn/isFhXV

Score
10/10
phoboscredential_accessdefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>cartilage</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #C6B5C4; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #B5CC8E; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #e6ecf2; border-left: 10px solid #B58CB2; } .alert { background: #FFE4E4; border-left: 10px solid #FFA07A; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC.</div> <div class='bold'>If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Or write us to the Tox: <span class='mark'>78E21CFF7AA85F713C1530AEF2E74E62830BEE77238F4B0A73E5E3251EAD56427BF9F7A1A074</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>82C1235E-3483</span></div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>
Emails

class='mark'>[email protected]</span></div>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

Signatures

  • Phobos

    Phobos ransomware appeared at the beginning of 2019.

    ransomwarephobos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
    ransomwareevasion
  • Renames multiple (311) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 2 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
    "C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
      C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
        "C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
          C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
          4⤵
            PID:2824
          • C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
            C:\Users\Admin\AppData\Local\Temp\30e90f33067608e8e7f4d57fd6903adb5eccb91bf426c56569c16bf86f0d8971.exe
            4⤵
              PID:2892
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\system32\netsh.exe
              netsh advfirewall set currentprofile state off
              4⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2092
            • C:\Windows\system32\netsh.exe
              netsh firewall set opmode mode=disable
              4⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2364
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:2976
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2200
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:1976
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:1708
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              4⤵
              • Deletes backup catalog
              PID:2760
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:668
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:1476
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:200
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            PID:2060
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe"
            3⤵
              PID:2576
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                4⤵
                • Interacts with shadow copies
                PID:1800
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                4⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:676
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                4⤵
                • Modifies boot configuration data using bcdedit
                PID:472
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                4⤵
                • Modifies boot configuration data using bcdedit
                PID:2324
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                4⤵
                • Deletes backup catalog
                PID:2472
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1648
        • C:\Windows\system32\wbengine.exe
          "C:\Windows\system32\wbengine.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1300
        • C:\Windows\System32\vdsldr.exe
          C:\Windows\System32\vdsldr.exe -Embedding
          1⤵
            PID:2840
          • C:\Windows\System32\vds.exe
            C:\Windows\System32\vds.exe
            1⤵
              PID:1636

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            Windows Management Instrumentation

            1
            T1047

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Netsh Helper DLL

            1
            T1546.007

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Event Triggered Execution

            1
            T1546

            Netsh Helper DLL

            1
            T1546.007

            Defense Evasion

            Direct Volume Access

            1
            T1006

            Impair Defenses

            1
            T1562

            Disable or Modify System Firewall

            1
            T1562.004

            Indicator Removal

            3
            T1070

            File Deletion

            3
            T1070.004

            Modify Registry

            2
            T1112

            Credential Access

            Credentials from Password Stores

            2
            T1555

            Credentials from Web Browsers

            1
            T1555.003

            Windows Credential Manager

            1
            T1555.004

            Unsecured Credentials

            1
            T1552

            Credentials In Files

            1
            T1552.001

            Discovery

            Browser Information Discovery

            1
            T1217

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            System Location Discovery

            1
            T1614

            System Language Discovery

            1
            T1614.001

            Lateral Movement

            Collection

            Data from Local System

            1
            T1005

            Command and Control

            Exfiltration

            Impact

            Inhibit System Recovery

            4
            T1490

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\info.hta
              Filesize

              5KB

              MD5

              78bbb8c8b3a2577a822bd60bcf579afa

              SHA1

              f89daaf170907b491daaf00650c93b677e90620b

              SHA256

              a7bc6efc01e5f76af986cdb97fe666ebf4282fe070879072285cdec499295722

              SHA512

              c4ab73ad356dc0177c1b3537f1be8e5e7240909a0ebbb651bdcba907bff385abd0542f8e385c28a517a98558f559fa93a5f39faeddf9e1ffda8b12f86b196c0d

              Download Submit

            • memory/2432-16-0x0000000074500000-0x0000000074BEE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2432-1-0x0000000001080000-0x00000000011AA000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/2432-2-0x0000000074500000-0x0000000074BEE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2432-3-0x0000000000670000-0x00000000006BE000-memory.dmp

              Filesize

              312KB

              Download

            • memory/2432-4-0x0000000000AE0000-0x0000000000B16000-memory.dmp

              Filesize

              216KB

              Download

            • memory/2432-5-0x0000000000B20000-0x0000000000B54000-memory.dmp

              Filesize

              208KB

              Download

            • memory/2432-6-0x0000000000D50000-0x0000000000D9C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/2432-0-0x000000007450E000-0x000000007450F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2532-59-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-70-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-11-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-18-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-10-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-9-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-8-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-7-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-15-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-3504-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-2149-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-1002-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-651-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-138-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-35-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-45-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-47-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-46-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-49-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-48-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-61-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2532-57-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-51-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-72-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-12-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-78-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2532-102-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2704-34-0x0000000074430000-0x0000000074B1E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2704-21-0x0000000074430000-0x0000000074B1E000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2704-20-0x0000000001080000-0x00000000011AA000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/2704-19-0x000000007443E000-0x000000007443F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2892-33-0x0000000000400000-0x0000000000413000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2892-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

              Filesize

              4KB

              Download