Overview

overview

10

Static

static

10

Yashma ran....2.exe

windows10-1703-x64

Resubmissions

24-06-2024 10:54

240624-mz2r2sycke 10

24-06-2024 10:40

240624-mqk3ya1gjn 10

Analysis

  • max time kernel
    612s
  • max time network
    617s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-06-2024 10:40

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Yashma ransomware builder v1.2.exe

  • Size

    538KB

  • MD5

    13e878ed7e547523cffc5728f6ba4190

  • SHA1

    878ad3025f8ea6b61ad4521782035963b3675a52

  • SHA256

    f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db

  • SHA512

    a7fa4f14deb65aa8de18e37e4fba3d2fa6ed696b70c4d0f1f49a65a4d43da76eff0d9a9c4703a6e3c13a37eb5d1a427e43be8c0ea6b1288a50a1c5175d9392c7

  • SSDEEP

    3072:tq0G/vqRT5i2YcRVm16Pn690H7GMgXuD//bFLAkCgkUKEyF9aT5Zt19r+E1/bFLz:U0G/GiWm16YaGMVFLQdD8FLz

Score
10/10
chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Default\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 59 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Yashma ransomware builder v1.2.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ewyo1et\4ewyo1et.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4220
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA08.tmp" "c:\Users\Admin\Downloads\CSC135450D1821C4240BFDDCB5CE0E25DB8.TMP"
        3⤵
          PID:4544
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3832
      • C:\Users\Admin\Downloads\daweasa.exe
        "C:\Users\Admin\Downloads\daweasa.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          2⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops desktop.ini file(s)
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4416
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4968
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:4172
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4528
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3520
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:3316
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:4568
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:5112
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              4⤵
              • Deletes backup catalog
              PID:4908
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
            3⤵
            • Opens file in notepad (likely ransom note)
            PID:1292
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4180
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1388
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:3296
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\read_it.txt
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:708
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4420
        • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
          "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
          1⤵
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:4548
          • C:\Windows\SysWOW64\unregmp2.exe
            "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2860
            • C:\Windows\System32\unregmp2.exe
              "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
              3⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              PID:60
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
          1⤵
          • Drops file in Windows directory
          PID:3540
        • C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
          "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
          1⤵
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:4956
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
          1⤵
            PID:4456
          • C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
            "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
            1⤵
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:3176
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /7
            1⤵
              PID:4640
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0 /state0:0xa3a81055 /state1:0x41c64e6d
              1⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:4896

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Yashma ransomware builder v1.2.exe.log
              Filesize

              1KB

              MD5

              d63ff49d7c92016feb39812e4db10419

              SHA1

              2307d5e35ca9864ffefc93acf8573ea995ba189b

              SHA256

              375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

              SHA512

              00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\daweasa.exe.log
              Filesize

              660B

              MD5

              6f8201778bb230fb0ac7c8b78a134a12

              SHA1

              06570db78997747dd80e558a483d29af167f43c5

              SHA256

              984fcdb20fcd38e921511def1e720e36c7a20887010f4f5035b0a6b24c75148f

              SHA512

              86ebbb74d94c382073f4481bb3a4c0747b801753adba15ee36c97dc8b09827e7a29b46209b559c1ab4fa836fbbe6a90b0339e97ed9d5d4856179604e380f2254

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
              Filesize

              64KB

              MD5

              98df921f667bf303621c789390ed9f2e

              SHA1

              d9c82e51534cf1c2eb5a255286de6a09ca364d1a

              SHA256

              8b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3

              SHA512

              58e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
              Filesize

              1024KB

              MD5

              80015ec0ac3f69edbf5ac4131f1bb484

              SHA1

              6daead72d5be5809c9baa776e0e45c8f6a5a1e04

              SHA256

              ac0dae30e46ede304f8710b271fe9ea5d2acbd2dbf3b338d256b54da8eb13119

              SHA512

              2d25f46807d79a34270042d845354326b5923fb32a677450f5eaf1c379c0c71c5f4793245a5d2a88c6a3ac5db1cd5cdd1d4ce19afac332c8b09f4ab852068839

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
              Filesize

              68KB

              MD5

              d009ab76f558f357c38984ba913e17f3

              SHA1

              332295088c7d0b5d3ba32fb1fb39fb7592abf471

              SHA256

              5d57c77976369a640109fa02cca87d748e187f785d5535331e2d487b5b72e142

              SHA512

              f882926f087ffb7373eb11cb62c4b6071069c13fbefd26aabdd62834224d9a84529ebe9971150118ce1537f0d63ac592b36ad9d46bd344935e46f5d858f5f625

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
              Filesize

              498B

              MD5

              90be2701c8112bebc6bd58a7de19846e

              SHA1

              a95be407036982392e2e684fb9ff6602ecad6f1e

              SHA256

              644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

              SHA512

              d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
              Filesize

              9KB

              MD5

              7050d5ae8acfbe560fa11073fef8185d

              SHA1

              5bc38e77ff06785fe0aec5a345c4ccd15752560e

              SHA256

              cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

              SHA512

              a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

              Download Submit

            • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.sechealthui_cw5n1h2txyewy\AC\Microsoft\Windows\4272278488\2581520266.pri
              Filesize

              70KB

              MD5

              dc37deff2947a4ec8bf9b40a3dc25c49

              SHA1

              422bdce2dc21c634760c8b06a60c4ebf131cc592

              SHA256

              00dee1b03565baf7c105f1484f27a2e04d900538c153372482fbedd8cde61d85

              SHA512

              bbe9730344e0f648c53d2d5c518791ce8d92c1f04e1b9646bb4feca24d5f41fae255eff57ad7c36ff1d26869ad25eede25bbd4e98a59267d41ee71f3885d9dd4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\RESA08.tmp
              Filesize

              1KB

              MD5

              d9fadf7b21996e1d179005382c79688f

              SHA1

              8ecd450223f62b1858d41c296f0d5e848bd4ccf3

              SHA256

              2856cf4b0c300d16d5a54f16d583bc18cc2c420086f9e84d37d09e989abdeac4

              SHA512

              197afd95a26844147f9adce0946f548ff328a03686a8c698380359500fda0f0ab7ef682b3cedf46a0f8ad0f64624dac6a69a7db684d077643f6d1c56a1cb0b83

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\wmsetup.log
              Filesize

              1KB

              MD5

              dfab6c0221d191271746c035b66d2d80

              SHA1

              5d0230e847e865af861e5108e8be7c201ca1a931

              SHA256

              17abe1e5a63254e06697c750b1091b0bf1db0594b556aeb5c920abf8bafa4037

              SHA512

              0203d8b931402bdd138b0c042c95088cbec43a36a5837f38663d32554226f54c3e0f3bec30893858e5fec78ac89a88d83a67dc2876a304c60dd6f896f936021d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
              Filesize

              1KB

              MD5

              d235521824e25f9c40af5d0630be5d95

              SHA1

              ee404ec3c2883f3e876c87430e528ff718540c11

              SHA256

              0eb5bf68665d9f2cef9256a41b635fd3ef04d83b68f484b9d71e4d18e855d34b

              SHA512

              205dd44b35ce424e880d785caa00eccce569dabdef07f823a001056235a077e3ec6e22cc93010e5e6074a379ee365ed04930d6676f156c1f52d5585415b50153

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
              Filesize

              3KB

              MD5

              50e94840d17b7971f2f2dae1aa0b4832

              SHA1

              7e2a33630853f1ca983f57b82a93737eab286ec1

              SHA256

              96ce99f521ba9d73a63535e2b447aca1884a9048702f4dbee86c3974aba36ebb

              SHA512

              2e035d728c1feed7b4e5c93bebb08b7a3843c70ed4ff95cc2c6fa6502d894d83d0f0c3350ce7f29a7d9ba4e2e9377af17caac04ccb6482087c349d06f1ee5912

              Download Submit

            • C:\Users\Admin\Downloads\daweasa.exe
              Filesize

              27KB

              MD5

              32749602713f45537cf158952700ef59

              SHA1

              5e1869c49a2bff4509f48ce9763934ee375dc00f

              SHA256

              481512227357aff191b3fec23dd079ac3d70f4dfa7ccb6905204599e092803e9

              SHA512

              2e2859fcaf03767b67a4c7ec8b6783533d0a8a1332bb8eceb75ea5c54619fd8e7d5d55cf8759ab3936df2e7ca56adf829ba17722423de7a25d4ce04191cbeac8

              Download Submit

            • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk
              Filesize

              1B

              MD5

              d1457b72c3fb323a2671125aef3eab5d

              SHA1

              5bab61eb53176449e25c2c82f172b82cb13ffb9d

              SHA256

              8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

              SHA512

              ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

              Download Submit

            • C:\Users\Default\read_it.txt
              Filesize

              582B

              MD5

              ed5cc52876db869de48a4783069c2a5e

              SHA1

              a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

              SHA256

              45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

              SHA512

              1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\4ewyo1et\4ewyo1et.0.cs
              Filesize

              39KB

              MD5

              8fc012e07f1d9cf2859d68c8c88c9a71

              SHA1

              b1d1c4fa5385e7ac8a67e37774ad03d35e79ea81

              SHA256

              c5fc1616ba79f8328cb5321c018fb60bfe87f81a7f5d9ca294d26a66fa34789a

              SHA512

              d7ae293a72dada9a10a6ca74b1f348b726885f15b6fd4cf7f6339294e3e649e25bb9b74a7139e6a93380123d4664382a9d8f4ea240a9e3e623995531ce6e679c

              Download Submit

            • \??\c:\Users\Admin\AppData\Local\Temp\4ewyo1et\4ewyo1et.cmdline
              Filesize

              391B

              MD5

              922888ae46278294f2bcd3ec52c49366

              SHA1

              297b97e3912cad83a6da54567e288d331da566ad

              SHA256

              497f703daa9413036aa19b6220a498dc021e3057ffd1fab8d57b335d5de768d5

              SHA512

              e17232949837aa262500deb07e1cebb7dd67fe7fd82632c9f0e94af8a2cbfc0f844016251cc7e801f28b252202350efaf0bc92eb0083b76525510e24a40e8db1

              Download Submit

            • \??\c:\Users\Admin\Downloads\CSC135450D1821C4240BFDDCB5CE0E25DB8.TMP
              Filesize

              1KB

              MD5

              f12b2709ea147bf8d5dc206654c618f3

              SHA1

              02fac5eb0ba50d5ab9f71069f621a3bdc5e92710

              SHA256

              fbff196e2fe96edbd315d81962b18977d61f2551ac230fe94d038bb1e6b9b37e

              SHA512

              cb9cf9e01b6c23d1db2060ee39c4d34baa479ed78998ea038ca5e2eb36cb4715723a4e99e0b9907d9f770a754a2dd203efaad1307df99c146b65023a93b9fa1a

              Download Submit

            • memory/3896-30-0x00000000004E0000-0x00000000004EE000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4240-13-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-4-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-0-0x00007FFA6D723000-0x00007FFA6D724000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4240-12-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-7-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-6-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-5-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-1-0x00000000000D0000-0x000000000015C000-memory.dmp

              Filesize

              560KB

              Download

            • memory/4240-2-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-27-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4240-3-0x00007FFA6D720000-0x00007FFA6E10C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/4548-1097-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-1099-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-1095-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-1094-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-1100-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-1098-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-1096-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4548-1093-0x0000000008D40000-0x0000000008D50000-memory.dmp

              Filesize

              64KB

              Download