Overview

overview

10

Static

static

9ECC56C602...28.exe

windows7_x64

10

9ECC56C602...28.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ECC56C60274314E5D1C62F5F51FEE28.exe

  • Size

    3.3MB

  • MD5

    9ecc56c60274314e5d1c62f5f51fee28

  • SHA1

    3911b8fd0bb8cf4c5346ebe5b9785d0a833e004c

  • SHA256

    2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5

  • SHA512

    6bd7d06eb752acd6e173848ddeb30447b49286aa7ecdfa810b1cacc1e71385ed8fab8cc11b22511fe5d6a398af6d5eb224cf8da0f47a63c51bea18478cc688ca

Score
10/10
plugxredlinesmokeloadersource1backdoordiscoveryevasioninfostealerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

source1

C2

199.195.251.96:43073

Extracted

Family

smokeloader

Version

2020

C2

http://khaleelahmed.com/upload/

http://twvickiassociation.com/upload/

http://www20833.com/upload/

http://cocinasintonterias.com/upload/

http://masaofukunaga.com/upload/

http://gnckids.com/upload/
rc4.i32
rc4.i32

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 16 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 13 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
    1⤵
    • Drops file in System32 directory
    PID:684
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:68
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
      1⤵
        PID:1080
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Themes
        1⤵
          PID:1188
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s UserManager
          1⤵
            PID:1244
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s SENS
            1⤵
              PID:1368
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s WpnService
              1⤵
                PID:2656
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2640
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Browser
                1⤵
                  PID:2556
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                  1⤵
                    PID:2336
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                    1⤵
                      PID:2328
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                      1⤵
                        PID:1788
                      • C:\Users\Admin\AppData\Local\Temp\9ECC56C60274314E5D1C62F5F51FEE28.exe
                        "C:\Users\Admin\AppData\Local\Temp\9ECC56C60274314E5D1C62F5F51FEE28.exe"
                        1⤵
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:3680
                        • C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
                          "C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"
                          2⤵
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2916
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 4200
                            3⤵
                            • Suspicious use of NtCreateProcessExOtherParentProcess
                            • Program crash
                            PID:5636
                        • C:\Users\Admin\AppData\Local\Temp\Files.exe
                          "C:\Users\Admin\AppData\Local\Temp\Files.exe"
                          2⤵
                          • Executes dropped EXE
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:404
                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
                            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1008
                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              4⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4280
                        • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                          "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4420
                          • C:\Users\Admin\AppData\Roaming\3821949.exe
                            "C:\Users\Admin\AppData\Roaming\3821949.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4084
                          • C:\Users\Admin\AppData\Roaming\5941916.exe
                            "C:\Users\Admin\AppData\Roaming\5941916.exe"
                            3⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            PID:1064
                            • C:\ProgramData\Windows Host\Windows Host.exe
                              "C:\ProgramData\Windows Host\Windows Host.exe"
                              4⤵
                              • Executes dropped EXE
                              PID:4408
                          • C:\Users\Admin\AppData\Roaming\7058894.exe
                            "C:\Users\Admin\AppData\Roaming\7058894.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4964
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c timeout 1
                              4⤵
                                PID:3136
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 1
                                  5⤵
                                  • Delays execution with timeout.exe
                                  PID:3148
                              • C:\Users\Admin\AppData\Roaming\7058894.exe
                                "C:\Users\Admin\AppData\Roaming\7058894.exe"
                                4⤵
                                • Executes dropped EXE
                                PID:5484
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 1380
                                4⤵
                                • Drops file in Windows directory
                                • Program crash
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5608
                            • C:\Users\Admin\AppData\Roaming\8733735.exe
                              "C:\Users\Admin\AppData\Roaming\8733735.exe"
                              3⤵
                              • Executes dropped EXE
                              PID:4324
                          • C:\Users\Admin\AppData\Local\Temp\wf-game.exe
                            "C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
                            2⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:4448
                            • C:\Windows\SysWOW64\rUNdlL32.eXe
                              "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
                              3⤵
                              • Loads dropped DLL
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4916
                          • C:\Users\Admin\AppData\Local\Temp\agdsk.exe
                            "C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
                            2⤵
                            • Executes dropped EXE
                            • Modifies system certificate store
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4488
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c taskkill /f /im chrome.exe
                              3⤵
                                PID:4960
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im chrome.exe
                                  4⤵
                                  • Kills process with taskkill
                                  PID:5252
                            • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                              "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
                              2⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Suspicious use of WriteProcessMemory
                              PID:4588
                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                3⤵
                                • Executes dropped EXE
                                PID:4884
                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                3⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                PID:5344
                            • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                              "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Checks SCSI registry key(s)
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: MapViewOfSection
                              PID:4628
                          • \??\c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k netsvcs -s BITS
                            1⤵
                            • Suspicious use of SetThreadContext
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3748
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k SystemNetworkService
                              2⤵
                              • Drops file in System32 directory
                              • Checks processor information in registry
                              • Modifies data under HKEY_USERS
                              • Modifies registry class
                              PID:5048
                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                            1⤵
                            • Drops file in Windows directory
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:4036
                          • C:\Windows\system32\browser_broker.exe
                            C:\Windows\system32\browser_broker.exe -Embedding
                            1⤵
                            • Modifies Internet Explorer settings
                            PID:2628
                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                            1⤵
                            • Modifies registry class
                            • Suspicious behavior: MapViewOfSection
                            • Suspicious use of SetWindowsHookEx
                            PID:5060
                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                            1⤵
                            • Modifies Internet Explorer settings
                            • Modifies registry class
                            PID:4980
                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                            1⤵
                            • Modifies registry class
                            PID:4536
                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                            1⤵
                            • Modifies registry class
                            PID:5276
                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                            1⤵
                            • Modifies registry class
                            PID:5752

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/68-263-0x000001F928680000-0x000001F9286F0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/68-292-0x000001F928D40000-0x000001F928DB0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/684-230-0x000001AEBB140000-0x000001AEBB1B0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/684-300-0x000001AEBB230000-0x000001AEBB2A0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1008-141-0x00000000052E0000-0x000000000531B000-memory.dmp

                            Filesize

                            236KB

                            Download

                          • memory/1008-129-0x0000000005560000-0x0000000005561000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1008-127-0x0000000000820000-0x0000000000821000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1008-146-0x0000000006000000-0x0000000006001000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1008-145-0x0000000005540000-0x0000000005556000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/1008-147-0x0000000005060000-0x000000000555E000-memory.dmp

                            Filesize

                            5.0MB

                            Download

                          • memory/1008-130-0x0000000005100000-0x0000000005101000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1008-134-0x00000000050F0000-0x00000000050F1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1080-226-0x000001FF31200000-0x000001FF31270000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1080-298-0x000001FF312E0000-0x000001FF31350000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1188-306-0x000001E98D410000-0x000001E98D480000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1188-236-0x000001E98CE40000-0x000001E98CEB0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1244-308-0x0000023801710000-0x0000023801780000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1244-240-0x0000023801620000-0x0000023801690000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1368-233-0x000002668DB90000-0x000002668DC00000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1368-302-0x000002668E300000-0x000002668E370000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1788-246-0x00000230EEE40000-0x00000230EEEB0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/1788-304-0x00000230EEEB0000-0x00000230EEF20000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2328-265-0x000001C9CFF80000-0x000001C9CFFF0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2328-294-0x000001C9D0670000-0x000001C9D06E0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2336-296-0x00000243EC5B0000-0x00000243EC620000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2336-218-0x00000243EBC80000-0x00000243EBCF0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2556-290-0x000001A736420000-0x000001A736490000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2556-254-0x000001A736000000-0x000001A736070000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2640-310-0x0000015D8E130000-0x0000015D8E1A0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2640-243-0x0000015D8D500000-0x0000015D8D570000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2656-249-0x000001CB60280000-0x000001CB602F0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/2916-131-0x00000000035D0000-0x00000000035E0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2916-138-0x0000000003770000-0x0000000003780000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3040-277-0x00000000011D0000-0x00000000011E6000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/3748-217-0x0000012B14270000-0x0000012B142BB000-memory.dmp

                            Filesize

                            300KB

                            Download

                          • memory/3748-225-0x0000012B14330000-0x0000012B143A0000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/4084-210-0x0000000000D00000-0x0000000000D01000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4084-223-0x00000000054A0000-0x00000000054A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4084-228-0x00000000054D0000-0x00000000054D1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4280-188-0x00000000059F0000-0x00000000059F1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4280-158-0x0000000005720000-0x0000000005721000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4280-173-0x0000000005760000-0x0000000005761000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4280-179-0x00000000056A0000-0x0000000005CA6000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4280-152-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4280-154-0x00000000056C0000-0x00000000056C1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4280-148-0x0000000000400000-0x000000000041C000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/4324-257-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4408-262-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4420-161-0x00000000005F0000-0x00000000005F1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4420-174-0x0000000000A50000-0x0000000000A6D000-memory.dmp

                            Filesize

                            116KB

                            Download

                          • memory/4420-181-0x0000000002720000-0x0000000002722000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/4420-169-0x0000000000A40000-0x0000000000A41000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4420-175-0x0000000000D40000-0x0000000000D41000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4628-259-0x0000000000850000-0x00000000008FE000-memory.dmp

                            Filesize

                            696KB

                            Download

                          • memory/4628-261-0x0000000000400000-0x0000000000845000-memory.dmp

                            Filesize

                            4.3MB

                            Download

                          • memory/4916-215-0x00000000044D0000-0x000000000452C000-memory.dmp

                            Filesize

                            368KB

                            Download

                          • memory/4916-213-0x0000000000D55000-0x0000000000E56000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/4964-258-0x0000000004F60000-0x0000000004F61000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/5048-255-0x000001D7932D0000-0x000001D793340000-memory.dmp

                            Filesize

                            448KB

                            Download

                          • memory/5048-279-0x000001D795900000-0x000001D795A05000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/5484-276-0x00000000053B0000-0x00000000059B6000-memory.dmp

                            Filesize

                            6.0MB

                            Download