Analysis

  • max time kernel
    1049s
  • max time network
    428s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 16:09

General

  • Target

    Chaos Ransomware Builder v5.2.exe

  • Size

    560KB

  • MD5

    02a37759bd104561f7730225388526fa

  • SHA1

    e02d8913f43d8d7843045d25eb369e0e086d7fb2

  • SHA256

    38adb3e1431726978b41a80227f22159fddfaeed174ddd2d569e6de4177d3589

  • SHA512

    55967de3de1ec177fd1f1d34571072c8fc3e3e4e657d35260db405e6d9f02fbb143b3a9f3d5f423572212e46394fd6953bfcb3d7fcc199126b5710dcab5af0f3

  • SSDEEP

    3072:ERbKSiIsAumFi2YcRVm16Pn6uXFsGoi2YcRTmH6PG6d5kCQLajjjjjjjjjjjjjjx:ERbKediWm16FEiqmH65aziym168

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\read_it.txt

Family

chaos

Ransom Note
----> Chaos is multi language ransomware. Translate your note to any language <---- All of your files have been encrypted Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help.What can I do to get my files back?You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer.The price for the software is $1,500. Payment can be made in Bitcoin only. How do I pay, where do I get Bitcoin? Purchasing Bitcoin varies from country to country, you are best advised to do a quick google search yourself to find out how to buy Bitcoin. Many of our customers have reported these sites to be fast and reliable: Coinmama - hxxps://www.coinmama.com Bitpanda - hxxps://www.bitpanda.com Payment informationAmount: 0.1473766 BTC Bitcoin Address: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 4 IoCs
  • Chaos family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 59 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v5.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder v5.2.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4408
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iycahnyp\iycahnyp.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B80.tmp" "c:\Users\Admin\Downloads\CSCF175A03FF17E4A338B64843BE5ACE470.TMP"
        3⤵
          PID:2320
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2916
      • C:\Users\Admin\Downloads\fdfe.exe
        "C:\Users\Admin\Downloads\fdfe.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4824
        • C:\Users\Admin\AppData\Roaming\svchost.exe
          "C:\Users\Admin\AppData\Roaming\svchost.exe"
          2⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Drops desktop.ini file(s)
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4384
            • C:\Windows\system32\vssadmin.exe
              vssadmin delete shadows /all /quiet
              4⤵
              • Interacts with shadow copies
              PID:640
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic shadowcopy delete
              4⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:5044
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} bootstatuspolicy ignoreallfailures
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:1360
            • C:\Windows\system32\bcdedit.exe
              bcdedit /set {default} recoveryenabled no
              4⤵
              • Modifies boot configuration data using bcdedit
              PID:1524
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2512
            • C:\Windows\system32\wbadmin.exe
              wbadmin delete catalog -quiet
              4⤵
              • Deletes backup catalog
              PID:4292
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
            3⤵
            • Opens file in notepad (likely ransom note)
            • Suspicious use of FindShellTrayWindow
            PID:3972
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:536
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1896
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:2168
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:4672
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4176
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
          • Enumerates system info in registry
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4044
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffee6fecc40,0x7ffee6fecc4c,0x7ffee6fecc58
            2⤵
              PID:4236
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2
              2⤵
                PID:1664
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:3
                2⤵
                  PID:2896
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
                  2⤵
                    PID:1720
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
                    2⤵
                      PID:268
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:1
                      2⤵
                        PID:5032
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3736,i,17199287698112855954,7358084836155938432,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1
                        2⤵
                          PID:3860
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:548
                        • C:\Windows\SysWOW64\DllHost.exe
                          C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                          1⤵
                          • System Location Discovery: System Language Discovery
                          PID:1644
                        • C:\Windows\System32\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 0
                          1⤵
                            PID:4440

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                            Filesize

                            1KB

                            MD5

                            2e878c415f982ce5922a5a23f756dbb6

                            SHA1

                            a29bdf66f17d01c6f42f809e4a5911f99023c9c8

                            SHA256

                            b04eabacc296ef3dfdbde6e0d3d7d50e9b8942edde072fbd2597330a96931881

                            SHA512

                            2e5dd96509acc1b5a3a4511de26ae4db018b4fa29719e4f7249d7d7b994db842d935770b62de09bbbe42350d51ba10b4faf5e39bf4790b2a3a201e20d9789256

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                            Filesize

                            356B

                            MD5

                            331a7cf0f126d233ebf762d8b03a337e

                            SHA1

                            5e78b2f299cae693e7ea97c211acf82ccffe6ce9

                            SHA256

                            a3e82d40a4abdb52624c4faf66650d62de95a0cf5b6ef4b15d176bdd616f2c79

                            SHA512

                            24a9677a6c24738dc87f7c77e4015f1e503cf81e022a83e1ef84affcb2305de3c642f53c836d95707a19152d435905208309415565087ae7573ab209f61af0bf

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            8KB

                            MD5

                            785dfe8e237d9e96f979c2c5f1f8a627

                            SHA1

                            1afa8c2f3a1b7daa41506debb26c91688cfbd1f9

                            SHA256

                            11f5b53b4494bf63e00ad8a9bf34a2c1b984961999f4c90086b9db9cb4262de2

                            SHA512

                            86adcc1e46667d27d46b4f917e1a9c79f2602946e97fce65f119c46a7994795d4a8bfda55bb923ec691b7d743f42c0c8ece8950297bc235b4d7b3caa23dc5caa

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            116KB

                            MD5

                            3d8376c95154795e2547eaeab2c9970a

                            SHA1

                            612ff9016b1d68760f979f5942cf2968a834c340

                            SHA256

                            38239cc9e020b95ebaad405d07ef77ac028440cee51ded3d46798816593f5238

                            SHA512

                            16cf78e6dc5cbfae046a32517c3126c2cfcf65bbac5117f91330a87f36fd478e612caf03f46bd7654cfdfe8e79ceb458be70b98f805828115d9f9afde1232add

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                            Filesize

                            264KB

                            MD5

                            f50f89a0a91564d0b8a211f8921aa7de

                            SHA1

                            112403a17dd69d5b9018b8cede023cb3b54eab7d

                            SHA256

                            b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                            SHA512

                            bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fdfe.exe.log

                            Filesize

                            226B

                            MD5

                            28d7fcc2b910da5e67ebb99451a5f598

                            SHA1

                            a5bf77a53eda1208f4f37d09d82da0b9915a6747

                            SHA256

                            2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

                            SHA512

                            2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

                          • C:\Users\Admin\AppData\Local\Temp\RES9B80.tmp

                            Filesize

                            1KB

                            MD5

                            a08cdbbd2b89994e92aff6c10e8ca132

                            SHA1

                            440169713a4f86f1fb27ae7ced8a85b900840a47

                            SHA256

                            18f8a2a97036e737975f2e1cdeadd2a515a39d200763ab91c306d30216f5b0b1

                            SHA512

                            8557a12196b131f17711039a09903c8e9acf568d16086821e24a706292a66aee07cba521ed360df01e9b0bd7a3d636164873a6535802a6fdeb105ad13eb0c089

                          • C:\Users\Admin\AppData\Local\read_it.txt

                            Filesize

                            964B

                            MD5

                            4217b8b83ce3c3f70029a056546f8fd0

                            SHA1

                            487cdb5733d073a0427418888e8f7070fe782a03

                            SHA256

                            7d767e907be373c680d1f7884d779588eb643bebb3f27bf3b5ed4864aa4d8121

                            SHA512

                            2a58c99fa52f99c276e27eb98aef2ce1205f16d1e37b7e87eb69e9ecda22b578195a43f1a7f70fead6ba70421abf2f85c917551c191536eaf1f3011d3d24f740

                          • C:\Users\Admin\AppData\Roaming\CheckpointPublish.css

                            Filesize

                            1B

                            MD5

                            d1457b72c3fb323a2671125aef3eab5d

                            SHA1

                            5bab61eb53176449e25c2c82f172b82cb13ffb9d

                            SHA256

                            8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

                            SHA512

                            ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

                          • C:\Users\Admin\Downloads\fdfe.exe

                            Filesize

                            26KB

                            MD5

                            e4f9e92962a5d53e4f4f32bbab9466ec

                            SHA1

                            e8a3737c88b92a56efe1c17a6ea4eb11eab43038

                            SHA256

                            4c018f23f92b3c151c21ecae64db78d52c3d7dc134e9cc20743cf2552bb8fa59

                            SHA512

                            ccf1ddd85a413aa59db4a833139acced14040f8bd0de0a37d002c711adaff2904868db4109728972dfa5c6684401728df2ee683197780877556eb80e5e2b4f32

                          • \??\c:\Users\Admin\AppData\Local\Temp\iycahnyp\iycahnyp.0.cs

                            Filesize

                            37KB

                            MD5

                            ea1f7621042d8b45eb254d13c13aa906

                            SHA1

                            910444812b5dc417d1f2410c6b00ac5fc3112593

                            SHA256

                            6a0c37616266e514520ee4e9ef88844036c10434d4a3e98bd0c32dcb5b9f71df

                            SHA512

                            c7d257216981ae7b8bb1a74f64e90df442db121e34582482f0f6fa984fdc875c945fa31203e79bef96b5866bf71a7af11e212a650cfae64254af3ca19ab4343e

                          • \??\c:\Users\Admin\AppData\Local\Temp\iycahnyp\iycahnyp.cmdline

                            Filesize

                            357B

                            MD5

                            5a90185b0af724e1989f6adf432efc72

                            SHA1

                            0fee3b4c5910a84d0c332b16dea66821f117e47f

                            SHA256

                            2ec6a8eeb6e0e25041f2c6fac758071293932c6fab9b9a7e7c6d514c454a3b9f

                            SHA512

                            6196da01ff7722f00211aafa04db8b407c1f9a36701fcf8245efc0e269b8ae0770c1ce869bb936782f4c8c56a1f7d5cf8487d7cf0cb05d18ad13a00f97390e41

                          • \??\c:\Users\Admin\Downloads\CSCF175A03FF17E4A338B64843BE5ACE470.TMP

                            Filesize

                            1KB

                            MD5

                            646da1b567f56506b727e182c412c7ad

                            SHA1

                            2a762a72450485582379e3b30d6c25d875ce473e

                            SHA256

                            865a210c21794bd0c4fdc6be71c685ec1768cf01a2bb5cad5e601fbfa14adae2

                            SHA512

                            020a31d575d04ba960861e56c9f3ad753a0f772ae6938aa2467a0302c1c22306b371132ad2a6bb87e6bda308e52141397ba446238bc41b7ec0beeee76075339c

                          • memory/4408-6-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-8-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-1229-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-7-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-0-0x00007FFEEB9B3000-0x00007FFEEB9B5000-memory.dmp

                            Filesize

                            8KB

                          • memory/4408-5-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-4-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-3-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-2-0x00007FFEEB9B0000-0x00007FFEEC471000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/4408-1-0x0000000000E20000-0x0000000000EB0000-memory.dmp

                            Filesize

                            576KB

                          • memory/4824-27-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

                            Filesize

                            48KB