Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2024, 22:40

General

  • Target

    764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe

  • Size

    317KB

  • MD5

    764dde3f1fd9259e60c40b148db70637

  • SHA1

    0594e04536101063361d903e7db109a6dfaef85f

  • SHA256

    403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a

  • SHA512

    cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a

  • SSDEEP

    6144:J6tiiYyUYE+I6TdpIg+aLUvPOfE2sg4qJLfG7zWBMvKvGB77Z:J60iYyo+JT/+f282sGtw/77Z

Malware Config

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_vewif.txt

Ransom Note
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! What happened to your files ? All of your files were protected by a strong encryption with RSA-2048. More information about the encryption keys using RSA-2048 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. How did this happen ? Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C 2. http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C 3. https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: zpr5huq4bgmutfnf.onion/DDFD4123AC768C4C 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C Your personal page (using TOR): zpr5huq4bgmutfnf.onion/DDFD4123AC768C4C Your personal identification number (if you open the site (or TOR 's) directly): DDFD4123AC768C4C
URLs

http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C

http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C

https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C

http://zpr5huq4bgmutfnf.onion/DDFD4123AC768C4C

Extracted

Path

C:\Program Files\7-Zip\Lang\restore_files_vewif.html

Ransom Note
<html> <style>a { color:green; }.tb { background:white; border-style:solid; border-width:1px; padding:3px; border-color:lime; } .ttl { font-size:13px; color:880000; }</style><body style="background:#33CCFF;"> <center> <div style="text-align:left; font-family:Arial; font-size:13px; line-height:20px; margin-top:10px; width:800px; background:#F4F4F4; padding:20px; border-style:solid; border-width:5px; border-color:#BABABA;"> <b><font class="ttl">What happened <!------sfg2gdfstw5ey3345 --> to your files?</b></font><br> <font style="font-size:13px;">All of your files were<!------sfg2gdfstw5ey3345 --> protected by a strong<!------sfg2gdfstw5ey3345 --> encryption with<!------sfg2gdfstw5ey3345 --> RSA-2048 <br> More information about the <!------sfg2gdfstw5ey3345 -->encryption RSA-2048 can be<!------sfg2gdfstw5ey3345 --> found here: <a href="http://en.wikipedia.org/wiki/RSA_(cryptosystem)" target="_blank">http://en.wikipedia.org/wiki/RSA_(cryptosystem)</a><br></font> <br><b><font class="ttl">What <!------sfg2gdfstw5ey3345 --> does this mean?</b></font><br><font style="font-size:13px;"> This<!------sfg2gdfstw5ey3345 --> means that the <!------sfg2gdfstw5ey3345 --> structure and data within your files have been irrevocably <!------sfg2gdfstw5ey3345 -->changed, you will not be able to work<br> with them, read<!------sfg2gdfstw5ey3345 --> them or see them, it is the same thing <!------sfg2gdfstw5ey3345 -->as losing them forever, but with our help, you can restore them.</font><br><br><b><font class="ttl">How did this happen?</b></font> <br> <font style="font-size:13px;"> Especially for you, on our server was generated the secret key pair RSA-2048 - public and private. <br>All your <!------sdkfg3265436456hdfskjghfdg --> files were encrypted with the public key, <!------sdkfghd456334565436fskjghfdg --> which has been <!------sdkfghd45363456fskjghfdg --> transferred to <!------sdkfghdfskjghfdg -->your computer via <!------sdkfghd4356345643564356fskjghfdg -->the Internet.<br> <!------sdkfghd34563456fskjghfdg --> Decrypting of <!------sdkf45363456ghdfskjghfdg -->YOUR FILES is <!------sdkfghdfs4563456kjghfdg -->only possible <!------sdkfgh45364356dfskjghfdg -->with the help of the <!------sdkfghd4563456fskjghfdg -->private key and <!------sdkfghd43563456fskjghfdg -->decrypt program, <!------sdkfghdf43564356tyretyskjghfdg -->which is on our <!------sdkfgh34565346dfskjghfdg -->SECRET SERVER!!!. </font><br><br><b><font class="ttl">What do I do?</b></font> <br><font style="font-size:13px;">Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed.<br> If you really need your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.</font><br><br> <!------23452345dgtwertwre --><div class="tb" style="color:#880000; font-size:13px; border-width:3px;">For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: <hr> <!------sadfs32452345gfdsgsdfgdfsafasdfasdfsadf --><b>1.<a href="http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C</a></b><br> <!------ds234523452345fgwert --><b>2.<a href="http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C" target="_blank">http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C</a></b><br> <!------wer234524353245terwtewrt --><b>3.<a href="https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C" target="_blank">https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C</a></b><br> <!------sfg2gdfstw5ey3345 --></div><br><div class="tb" style="font-size:13px; border-color:#880000;">If for some reasons the addresses are not available, follow these steps: <hr>1. Download and install tor-browser: <a href="http://www.torproject.org/projects/torbrowser.html.en" target="_blank">http://www.torproject.org/projects/torbrowser.html.en</a><br>2. After a successful installation, run the browser and wait for initialization.<br>3. Type in the address bar: <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/DDFD4123AC768C4C</font><br>4. Follow the instructions on the site.</div><br><br><b>IMPORTANT INFORMATION:</b><br><div class="tb" style="width:790px;"> Your Personal PAGES: <b><br> <a href="http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C" target="_blank">http://nasdki39dawk.oj998fh4txkjh.com/DDFD4123AC768C4C</a> <br> <a href="http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C" target="_blank">http://awoeinf832as.wo49i277rnw.com/DDFD4123AC768C4C</a> <br> <a href="https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C" target="_blank"> https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C</a> </b> <br> Your Personal PAGE (using TOR): <font style="font-weight:bold; color:#009977;">zpr5huq4bgmutfnf.onion/DDFD4123AC768C4C</font><br> Your personal code (if you open the site (or TOR 's) directly): <font style="font-weight:bold; color:#770000;">DDFD4123AC768C4C</font><br> </div></div></center></body></html>
URLs

https://zpr5huq4bgmutfnf.onion.to/DDFD4123AC768C4C</a>

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Renames multiple (873) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\764dde3f1fd9259e60c40b148db70637_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Users\Admin\AppData\Roaming\vcwsfs.exe
      C:\Users\Admin\AppData\Roaming\vcwsfs.exe
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1112
      • C:\Windows\System32\vssadmin.exe
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        3⤵
        • Interacts with shadow copies
        PID:4128
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RESTORE_FILES.TXT
        3⤵
        • System Location Discovery: System Language Discovery
        • Opens file in notepad (likely ransom note)
        PID:2868
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RESTORE_FILES.HTML
        3⤵
        • Enumerates system info in registry
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e1ce46f8,0x7ff8e1ce4708,0x7ff8e1ce4718
          4⤵
            PID:1068
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
            4⤵
              PID:4164
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
              4⤵
                PID:3520
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
                4⤵
                  PID:1088
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
                  4⤵
                    PID:1052
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5529471428205303647,10651165217005545336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
                    4⤵
                      PID:2000
                  • C:\Windows\System32\vssadmin.exe
                    "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
                    3⤵
                    • Interacts with shadow copies
                    PID:2080
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Roaming\vcwsfs.exe >> NUL
                    3⤵
                    • System Location Discovery: System Language Discovery
                    PID:2680
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\764DDE~1.EXE >> NUL
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4960
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:4084
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:2364
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:492

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\7-Zip\Lang\restore_files_vewif.html

                    Filesize

                    4KB

                    MD5

                    29457c0abb75c95bf4c37e77fd1488d6

                    SHA1

                    e053e2b109e051193f82dad75dbbe1b86b26c080

                    SHA256

                    6fb436f2e59e9696894784a2e572a2e87cd792c38dbbe27922bbb53b833fee4a

                    SHA512

                    6f610c1402f8ce93bebf4f70304f461777b0818b940857ddd841e158fcfc035c4dbd92e490f1353ee5e7650e23a20e2c3f10820c545b17c3a8bb432e8467543a

                  • C:\Program Files\7-Zip\Lang\restore_files_vewif.txt

                    Filesize

                    2KB

                    MD5

                    ba95d3cbbc52103ca2f2c8a8ed3dfc4a

                    SHA1

                    92cc2bebee676002dbd11c9c831a4435588fc403

                    SHA256

                    3f05098bd0c1c9c9c0e71642d12fe443190a3b9ba69470c038341185efdc6127

                    SHA512

                    c9fd6b309668bdeb9aaa3ec233a2e12e16e0096e92bee8977b0f5f588bd3f6fe712933c43d65e70462c39ccc0baafd88135ed0c5cf0036045589f67aa455c50c

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    34d2c4f40f47672ecdf6f66fea242f4a

                    SHA1

                    4bcad62542aeb44cae38a907d8b5a8604115ada2

                    SHA256

                    b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                    SHA512

                    50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                    Filesize

                    152B

                    MD5

                    8749e21d9d0a17dac32d5aa2027f7a75

                    SHA1

                    a5d555f8b035c7938a4a864e89218c0402ab7cde

                    SHA256

                    915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                    SHA512

                    c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                    Filesize

                    5KB

                    MD5

                    a89fe62492ddc21dd15a3bd9d0a22153

                    SHA1

                    f5d83032adefbdd24d902ba412922ab5b74490a1

                    SHA256

                    2a7466c04cb8697d270dbd3ace3bff305ba73834a5e0eabcfa87c1b4f8c639b9

                    SHA512

                    98afc9da90d9ad74d4909e569b2dd76872435d5716405c57a28bb9a9b10440be0589c035857e829cd23cf2c233c14cc8c711f92b4a1786b58db5300269065e7c

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                    Filesize

                    6KB

                    MD5

                    a08c60aabafbeca068a2ed8b6087fdb4

                    SHA1

                    f5fe6f608cd41b1b6a608a2c4d584e33a7338327

                    SHA256

                    bd88b3f145b40df21a9473a086299971b7b849613021e1d176f7a7d1d9f798e3

                    SHA512

                    3aaa31be567eb3b7bcaea5fde300f17e27e1c1457b1b36b04c204d751120cf63d4560432cdae1a01eefd30b8fa320c81d1c3643ccb90596579b1c9b957d16f99

                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                    Filesize

                    10KB

                    MD5

                    8117a800276e8fadbfb2f5384a9400a3

                    SHA1

                    6d12802e19e04c9baa180760dc62b11bae9cb27a

                    SHA256

                    4c17d5b032153a98d8ce115e6ece1fcbfff7a2ba58b359a1d92778813df1a983

                    SHA512

                    af230ad5604b5f802fec697ba03c215f1b9f8a94b2df89b7e2a4f9a06e21706d3209b7143820b1c7d560fd7a8da2715727d96028d6fe0df9cee9dd07d739a052

                  • C:\Users\Admin\AppData\Roaming\vcwsfs.exe

                    Filesize

                    317KB

                    MD5

                    764dde3f1fd9259e60c40b148db70637

                    SHA1

                    0594e04536101063361d903e7db109a6dfaef85f

                    SHA256

                    403736515e661b6b36e18644a1e4aaa8b64f3d2597cf260300c815f9326d669a

                    SHA512

                    cbc6bc71698f75ebf23b2991476dabc895b23fd16af84967a2197aacc77b243e27ac143cdcc787549019492481bef63c847d79489eb3a8d672e8c8b5d0be157a

                  • memory/1112-15-0x0000000000920000-0x0000000000924000-memory.dmp

                    Filesize

                    16KB

                  • memory/1112-7747-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1112-7787-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1112-1776-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1112-4683-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1112-7703-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1112-7788-0x0000000073F20000-0x0000000073F59000-memory.dmp

                    Filesize

                    228KB

                  • memory/1112-7763-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1112-12-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1112-18-0x0000000073F20000-0x0000000073F59000-memory.dmp

                    Filesize

                    228KB

                  • memory/1564-6-0x0000000073F20000-0x0000000073F59000-memory.dmp

                    Filesize

                    228KB

                  • memory/1564-5-0x00000000025A0000-0x00000000025A4000-memory.dmp

                    Filesize

                    16KB

                  • memory/1564-1-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB

                  • memory/1564-0-0x0000000000ED0000-0x0000000000ED3000-memory.dmp

                    Filesize

                    12KB

                  • memory/1564-17-0x0000000073F20000-0x0000000073F59000-memory.dmp

                    Filesize

                    228KB

                  • memory/1564-16-0x0000000000400000-0x000000000076F000-memory.dmp

                    Filesize

                    3.4MB