Overview

overview

10

Static

static

10

2025-03-28...ry.exe

windows7-x64

10

2025-03-28...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29/03/2025, 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe

  • Size

    1.6MB

  • MD5

    4c0e5c4aa3eb66907cf32b7bd869dd8f

  • SHA1

    2f97ad58991c727a897f4613e00d6b24a3300a85

  • SHA256

    31aa2f05a7cd0b81002336c0f0b5397415b9ee70250862f91215e2bc4bb571d8

  • SHA512

    56ddad28ad605fe95b4b8f1ea00a130db1e07e082391ce2a1c8336d4ee6f177d1d9806b8a5e200ddc2bf7319f9ba44f194cb48f52f3e9f2c689e7d9b502eea51

  • SSDEEP

    24576:T1I8mdFc9nPV3EouDm6BkNEnzC5CW78UV:OFc3C37zCyG

Score
10/10
chaosdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\read_it.txt

Ransom Note
Don't worry, you can return all your files! All your files like documents, photos, databases and other important are encrypted What guarantees do we give to you? You can send 3 of your encrypted files and we decrypt it for free. You must follow these steps To decrypt your files : 1) Write on our e-mail :[email protected] ( In case of no answer in 24 hours check your spam folder or write us to this e-mail: [email protected]) 2) Obtain Bitcoin (You have to pay for decryption in Bitcoins. After payment we will send you the tool that will decrypt all your files.)

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 3 IoCs
  • Chaos family
    chaos
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    defense_evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          4⤵
          • Interacts with shadow copies
          PID:2760
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3028
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} bootstatuspolicy ignoreallfailures
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:2092
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set {default} recoveryenabled no
          4⤵
          • Modifies boot configuration data using bcdedit
          PID:1720
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1908
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          4⤵
          • Deletes backup catalog
          PID:2020
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:1784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2604
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1288
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2820
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
        PID:912
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1212

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      2
      T1547

      Active Setup

      1
      T1547.014

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Indicator Removal

      3
      T1070

      File Deletion

      3
      T1070.004

      Modify Registry

      3
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Defacement

      1
      T1491

      Inhibit System Recovery

      4
      T1490

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\gc0fm1s4h.jpg
        Filesize

        601KB

        MD5

        1590267bfab5fc9e6d537151be1a1bc3

        SHA1

        e71e9d22611962b68b663b2551196c6c4a91d218

        SHA256

        68edccb4f0be5927faa5a6a1589bd7434bd8cf55df48ee60c12bcf7a235e4b2d

        SHA512

        e0ab8739ecbdb40229da3808f1d7ea9d128091d7647738176f619d7742f82dc4803f6a70982d299e80ae5c99b85cee0c9ef112e915726e94cd72889160a1bf14

        Download Submit

      • C:\Users\Admin\AppData\Local\read_it.txt
        Filesize

        582B

        MD5

        ed5cc52876db869de48a4783069c2a5e

        SHA1

        a9d51ceaeff715ace430f9462ab2ee4e7f33e70e

        SHA256

        45726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36

        SHA512

        1745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        1.6MB

        MD5

        4c0e5c4aa3eb66907cf32b7bd869dd8f

        SHA1

        2f97ad58991c727a897f4613e00d6b24a3300a85

        SHA256

        31aa2f05a7cd0b81002336c0f0b5397415b9ee70250862f91215e2bc4bb571d8

        SHA512

        56ddad28ad605fe95b4b8f1ea00a130db1e07e082391ce2a1c8336d4ee6f177d1d9806b8a5e200ddc2bf7319f9ba44f194cb48f52f3e9f2c689e7d9b502eea51

        Download Submit

      • C:\Users\Admin\Desktop\CompressStep.xml.2dee
        Filesize

        397KB

        MD5

        a1abeca49ebf4b4b6712c8ab91d376fc

        SHA1

        e3618b6ce34b4bf88c1dd3559af4ef10b5184f6d

        SHA256

        ccebee30ebdb5eed7ead4e38508fe64ed25044a683bc15067bd6c6c4d8d80874

        SHA512

        eaad4b965b0bd0dd01872de36ee9b37fbd96d40c6a28dce30fabcfcc77faffba88eeefed64de9e125c474d867ca607302ce82894561e6083df0e1f036ec4fdf0

        Download Submit

      • C:\Users\Admin\Desktop\DenyPing.cab.ng6i
        Filesize

        968KB

        MD5

        a5173a80fed1c4ac1981835710cf97b2

        SHA1

        20c73bebaa6e707a622fea5bf3a2026d51394f49

        SHA256

        109705f44ea54fdbecd1900a818e65018d44af9102fe201de69b6b83f94ab236

        SHA512

        fcb077761d86dfb16d210abf49d1238c85e8f57921b4b6b0a8e30e7158982df6b1cdf44cbc380e41ba81e818d902f6134f73b8d213360d3be736a4691c006048

        Download Submit

      • C:\Users\Admin\Desktop\DisableSet.mhtml.sl83
        Filesize

        943KB

        MD5

        dc591558361bbe17a1f5ebea5132bb55

        SHA1

        e455875f8f369cea2a770332984299d0073a3ff8

        SHA256

        20329295f5a0f1658b8c2463413f5d79409e75f531c084647ee45482bf84434c

        SHA512

        ffc7cc00e42d40075b0b1ef0351f32a9287b492eab6e564a501941591813c5b1415d28a2f44c6a67db80dac0cdc36a428d82579879b5dc2e3bb8916723c126d1

        Download Submit

      • C:\Users\Admin\Desktop\ExitJoin.ini.yf7t
        Filesize

        620KB

        MD5

        2f7bdad1ed9bf41208a48fd273f66d09

        SHA1

        5ca5360ead70e42b759e74a0a7c0211c411a8cd8

        SHA256

        76c0a3b75581a3b9027ac69a22cb5ba92b2bfeb438e7e6125a12768d5e45516f

        SHA512

        2ef57f80b2737e9c41eeab32b2c9332ac98934eb97db0e251879866518015e18e3fffe29de221dc828b9f2bad81e65ab66e08dfd0df811b17a6db05d59f48700

        Download Submit

      • C:\Users\Admin\Desktop\JoinNew.php.7tss
        Filesize

        447KB

        MD5

        1399b1ad0ca3f68f0c7bf39b609bd3de

        SHA1

        edb5f9c52a50d61a8a1338fc2cd2fa72b7cf3dbb

        SHA256

        1a89cc0cc6de021b3fd252a7a2792c24db0de949c9247a2c4f395d7def8da87d

        SHA512

        174f475ae6ef328abfd7c1c47b14df878500c50a838166c7b20762932394a8fc4065ee804f981de1c491cb7feea8e3f0afe6a33952520ba55ad7431fa9c0489b

        Download Submit

      • C:\Users\Admin\Desktop\JoinWait.docx.ivbh
        Filesize

        20KB

        MD5

        cb76478c6049184f18748ebb2bdf8b15

        SHA1

        87eaf264125e65b838f9d89bcbb41c4347b6a662

        SHA256

        f95bca318584c23923d4bc108ddda47f168c7ae14350f91ef78adc3504f2bc49

        SHA512

        e11f82e1f91ab05dd8b5046880c3b66dcd29be394266a36940eedaef101d89414cb8f439334c7734d6976afc1c1fcd791a46d510ee6fdcfeaa7c58442a28e5ed

        Download Submit

      • C:\Users\Admin\Desktop\ProtectTrace.docx.8lgz
        Filesize

        16KB

        MD5

        52bf8a0f28af09852f822443890215c7

        SHA1

        1028af3def5eeb298528d61a66aee74a59aa5dd8

        SHA256

        a71ab0d210d3108f4f51e412b8f5f4c655f6607d06afdb27bbbe9f0802e93b37

        SHA512

        150e39a79eb44c7300a71deb04b1164c1043f78381ffa434eb277935ff9e5ef2af04315697780be14b2de63d22219638e67fdcd3d94963587c9322a220b62b2d

        Download Submit

      • C:\Users\Admin\Desktop\RedoUse.xsl.o2h7
        Filesize

        720KB

        MD5

        91808666f92519c5c4c0dd70e561465e

        SHA1

        33f968725ae529802297d65a1ac2d5f08a5d2d25

        SHA256

        5867cf6c06f5286b72d313655e4f14eda636d03e088952824c9923f35d6acb3d

        SHA512

        a1d2f033c02d02fdd44c109eac0c3679218fcaa71e4cf9423985fdfe2f4bacb186cb370c1426dd86a85a7ad65523a9d3a4a189c9a292208b381c96ff0f0b60da

        Download Submit

      • C:\Users\Admin\Desktop\ResumeRedo.pptm.atgf
        Filesize

        347KB

        MD5

        f56302173126fd8fe0df981843ba44ae

        SHA1

        04bb6bbe39405ccec537ddfb12503565a314d200

        SHA256

        da28069c6fd07d9faf761ed39ae36efa54d2cd3233490bfc2861dffd4fd261b5

        SHA512

        50a8e309519c43bbc4c2dcd4624e268f54461c4e52168451dfbd2465cf42c51a0977c666eaad2f3d01d916492e6d8269b5c545f587566839a3f92ba226b7c918

        Download Submit

      • C:\Users\Admin\Desktop\SetStep.gif.2fvz
        Filesize

        645KB

        MD5

        ec0c752963f690462b3a76feb4100523

        SHA1

        53dc8321bc884291ec48cb19c2f02a7b4b34ad1b

        SHA256

        85745f0199894ec8707f203e455d588ec3b9639e60dc739da59ecd3846311c00

        SHA512

        7b6c457fed7137eb9971175ba6c8df4c6733fbe48696ff3ca945adab9f2e47f6ce44545947ad4b69114a1714524f6e3efd1af1d4689edcb1be0f101885acb7f9

        Download Submit

      • C:\Users\Admin\Desktop\ShowTest.svgz.ihmh
        Filesize

        521KB

        MD5

        8f929986fa067ce3d92bef8ea308cb87

        SHA1

        5b7161b1c4d897f5e30faa10a1a487a858a1dc1b

        SHA256

        50245280f666aa16366f33db23fad8ebe718069dc144048985ac2add52ecc491

        SHA512

        f8d9ef20ed1f4809ee74999d469c72177693cb2c5107a04a3acde54c82f52325e5b0af0d2af68a8fab2a31cd63a34781038c0d61049fc016f8c7a73dcb45008d

        Download Submit

      • C:\Users\Admin\Desktop\SkipUninstall.wma.lkn9
        Filesize

        769KB

        MD5

        5f3a53fe91a2bec5857d4f3d55da9e53

        SHA1

        b4612e1a977d052c426694173cced380f8b7f7f7

        SHA256

        5ff86b8bc6a73146e9761b648ec7537be4c56a292f4624377edcaff54fc72ae1

        SHA512

        0091890397708a2c7f3ed5fd7b248f17ffd33a76e87cfe88aa40ddfe9c8bc6f310459e0b0d8ebee3c513a55c05c74bab2c90ab9430141bfc39731d577aaf623d

        Download Submit

      • C:\Users\Admin\Desktop\StepResume.rar.na95
        Filesize

        670KB

        MD5

        9d878f27f7245ebe3c763cb85567e4b3

        SHA1

        dd40438086a805dedb8cd5bfd355e8360feb0d1c

        SHA256

        2e166612ac5a61dc523c5989820861a59d864ea3bf300fc92153380804076395

        SHA512

        aabb8dc53d9cd271da2b3d5d7e92e2cfecfa074af2a65777d142311b65c3cb7bc094480c62ea2e2abfd1621cbc86757500ae8cfaf746f26365fc9dacbc4b637f

        Download Submit

      • C:\Users\Admin\Desktop\TraceEdit.xlsx.6jrw
        Filesize

        15KB

        MD5

        59d66e800e01341c62f81f98bdf88c20

        SHA1

        96ddff686631487a06060ae154bdc28c17c68423

        SHA256

        6ee56152a61ba8c96308274a254b1296341404d725cf20affa00ab91fe1d410e

        SHA512

        a3564fec068e44a910729c3cc670e956bf7a5923638f8cc385eed32867485d96f80e5b91b0bf423ab20af03761fd354a1a097b31a971a1f70715f3c410333f49

        Download Submit

      • C:\Users\Admin\Desktop\UninstallDebug.docx.jtpc
        Filesize

        16KB

        MD5

        49849bb4297cd852d245628de030b42f

        SHA1

        1095e9580f19f0eaf5092cc7fd40c35e7075830c

        SHA256

        5417a4f3cb83047016038914b276791c4f737275fef4e338e6a276d7e6742deb

        SHA512

        97cccba092fb7e5327b6b5895a63e3d03143dc38fdf7fff57b820106085301d52b0512fc2dc5912044b8f6869b67025ebaca495c097c16a0c52b081f07fd7913

        Download Submit

      • C:\Users\Admin\Desktop\UninstallRead.odp.n0xu
        Filesize

        1.3MB

        MD5

        f2fb70e6c7ca9e5450f30134d9e88de4

        SHA1

        c796fe790b880f7ae8312a92e0f9b2ceb489c68c

        SHA256

        85fc9b303632ddd48d6e87e687a1203f7b47b611823db35d0a7f78c79e31ae93

        SHA512

        9705c77651feac42add13973ba0732a1f6a8b87cf49b3aef99c3f057b81b2753fc277727cf403b1c76cdbd4de4e9bbc0c35d998b9158159eeb1e7f11c6cb6c53

        Download Submit

      • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
        Filesize

        1B

        MD5

        d1457b72c3fb323a2671125aef3eab5d

        SHA1

        5bab61eb53176449e25c2c82f172b82cb13ffb9d

        SHA256

        8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

        SHA512

        ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        Download Submit

      • C:\Users\Public\Desktop\Adobe Reader 9.lnk.8727
        Filesize

        2KB

        MD5

        82c2078fe3d9b06430395326c7e19a84

        SHA1

        de97f795117406b1d17113ca78dcf989bbda346e

        SHA256

        30821d5bb5a4d8ebcb977669dcf2501374a1acbd3099974f75875c844a0f6def

        SHA512

        6a03f26aa6e41d96c9e2380bbef1bc260e284db8f42a8e96108fbeef352acb5d549e3e930d0b1253f3a24eaab814e094ce1b6f6ff5d5f04d6c300c31b576f5bc

        Download Submit

      • C:\Users\Public\Desktop\Firefox.lnk.bkrd
        Filesize

        1KB

        MD5

        4afc69f137739b3db799a587422f8bba

        SHA1

        cc986ade566256b1d03693b757c9aab8c14cf9d0

        SHA256

        48ea10f57100556f0cea25bc16cbc5ec21b37875ea67533b3d74228cdf99ac65

        SHA512

        09e10e1317f8b527686ed775fb9b1de6cf5df81a99b636c468d4c40cc612711d1120c610b529a97081925fb0cda389d6e8d7e1b533e659da8423229dd11aa8d4

        Download Submit

      • C:\Users\Public\Desktop\Google Chrome.lnk.nk5v
        Filesize

        2KB

        MD5

        b295ca76ffd44e7555a22f204a6a2724

        SHA1

        d2c64a5b4c6946d7f7a27564aaabaee3605300c7

        SHA256

        3c6d38123337e045f3e2b496a8bfcfd3729015c818134cbb2c9ce9260043e5a5

        SHA512

        6138315ff4d1fb69722b460b4020bd9fe215123e25812ee4959e5b5269ac7333ff4086ed53e07f9112d4db89a9d26a3f40d3771aa19539f1607c59476c674871

        Download Submit

      • C:\Users\Public\Desktop\VLC media player.lnk.o404
        Filesize

        1KB

        MD5

        2eb7af8b789c2e1a7a5e60c9869f1e61

        SHA1

        fb9c5819ad8ed1bcb73ce6c2496ce96ded2d4a8d

        SHA256

        17d85ddb5a9e596ad0c04e6473a137c5fbadab39ab98b1bc17ad9de8de146ff0

        SHA512

        4f63f4bf9fb34a52f72cc882fff078d75a577db3ffe55395ada76ec915b6bd5cf2f0f7c7f8df486822ba3af2d713a46b6fba24a54def129f1a79cf0a09bd8cd5

        Download Submit

      • memory/1212-985-0x0000000002800000-0x0000000002810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2444-11-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2444-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2444-1-0x0000000000B40000-0x0000000000CDE000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2444-3-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2908-9-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2908-8-0x00000000000E0000-0x000000000027E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2908-980-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2908-10-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

        Filesize

        9.9MB

        Download