Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2022, 19:30

General

  • Target

    67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

  • Size

    3.6MB

  • MD5

    a4e7c52086fbf175cda3af56f9874664

  • SHA1

    24ada4a9bbbe6633644a1489fd369d6914d6798a

  • SHA256

    67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8

  • SHA512

    52230da4900cd71304e82e1e95121e6fec91b0477e433ed5b5d8cebb1254b5d6917bffc6ecc9a441b98f2e2104efbebab26c5b3a9c89a4b6b4d0d91ee52d7d8e

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

4Mekey.myftp.biz:1011

Mutex

7b646cd2fe5

Attributes
  • reg_key

    7b646cd2fe5

  • splitter

    @!#&^%$

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

OWN05

C2

4Mekey.myftp.biz:6606

4Mekey.myftp.biz:7707

4Mekey.myftp.biz:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

OWN05

C2

4Mekey.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Windows security bypass 2 TTPs 7 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Async RAT payload 2 IoCs
  • Executes dropped EXE 9 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
    "C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4280
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2500
      • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1352
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3204
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3332
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3876
    • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3964
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3180
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3252
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5100
      • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"
        3⤵
        • Executes dropped EXE
        PID:4396
      • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"
        3⤵
        • Executes dropped EXE
        PID:4260
      • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2192
    • C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
      "C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      PID:1876

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

          Filesize

          7.3MB

          MD5

          08c3094ab3b3f48e26b6298c5b536fc0

          SHA1

          eb3354a84b4df057d129db893e7da073ce966d9c

          SHA256

          604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3

          SHA512

          c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656

        • C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

          Filesize

          7.3MB

          MD5

          08c3094ab3b3f48e26b6298c5b536fc0

          SHA1

          eb3354a84b4df057d129db893e7da073ce966d9c

          SHA256

          604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3

          SHA512

          c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          ce7628577f459b34d4bc5b2a580202d9

          SHA1

          d451433443db205c9acc801edbdf62cfe5ace0c4

          SHA256

          1d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00

          SHA512

          2041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          ce7628577f459b34d4bc5b2a580202d9

          SHA1

          d451433443db205c9acc801edbdf62cfe5ace0c4

          SHA256

          1d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00

          SHA512

          2041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          ce7628577f459b34d4bc5b2a580202d9

          SHA1

          d451433443db205c9acc801edbdf62cfe5ace0c4

          SHA256

          1d49949e0d2560ced4d68fd7ec8013b6b46119f4c9784cb42750a9a02b7b2c00

          SHA512

          2041d53f1ba6fb8469579dd3371812d527a68b46323968b1a258b3eb75b14987f6bc4c9dc7591210639934dffc18d032f10d47189dd3e4851abeeb3ef121aed7

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          c82cf1c6aa26d40abdeeadbb40ee274f

          SHA1

          ba84ebbfb299a025fdf72b870ade6ca8f92d4d7e

          SHA256

          eaf94aad23b2ae56eaaa92f70af26a18e65bfae7557816bbaf31d088b40e4774

          SHA512

          3375627bd362023c4b4f3e5921f84d09acc19039cae40bc571cd047f3b754676fca7924f7086d58df619aaa544eed27bc9eb2e198925c001fbc2a1aa37bd8331

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          645b77bae91e157f44a6125e63f17621

          SHA1

          3de7404d827ec5f76a7743a58a818e0d11d42839

          SHA256

          90f5e018d2c2dd966909518503616a8561bcb3ce2363f76c0b1d7027b738c99c

          SHA512

          06d289e410eb2daf3f850263e02f5ca87a21c5ecba1fb89324ae626286445a9c28909e88a6ee47ae827a255fb06972af38bd866b6ba1f1cceb23f80a3a1ba495

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          645b77bae91e157f44a6125e63f17621

          SHA1

          3de7404d827ec5f76a7743a58a818e0d11d42839

          SHA256

          90f5e018d2c2dd966909518503616a8561bcb3ce2363f76c0b1d7027b738c99c

          SHA512

          06d289e410eb2daf3f850263e02f5ca87a21c5ecba1fb89324ae626286445a9c28909e88a6ee47ae827a255fb06972af38bd866b6ba1f1cceb23f80a3a1ba495

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          04d7c019f2a21d6a052315c67ae92b73

          SHA1

          09fabcc020d869b88c33e4cbd9a2481a678c2149

          SHA256

          374fad38ab27622163272b1394fe89af17ba0abfdd60adda00948799099a1d69

          SHA512

          3a2925593ff5835638d78a598468fb36a539af56367d21775f6a5153d260e0938b233824d1887415730f1f300e6ef4a52628d0f99dd9c37f472be6bed7e1f7b9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          2de185be84dd06c83d961d95773bddd5

          SHA1

          0f22342d56c7a24b5b976dd423711678157cc659

          SHA256

          7409fcd778c5258bb100fc2e4b57801326699e8fdc9a571bbd0b7c347c697ce2

          SHA512

          2aa19ffbccdd0ba50ccbde7f836e8f9e13298d8c2465beae70118eaad9df2a2446632a3c2ff3d09e305d3ac9acc4b01fb436862fff5db446b9f3b1cc2dc03214

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          403KB

          MD5

          45c7bb96cf62c09ce2a2f8c141e2e3cc

          SHA1

          321e2b8e15dd6713163da84b775d5f7ccf68a067

          SHA256

          250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214

          SHA512

          3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          403KB

          MD5

          45c7bb96cf62c09ce2a2f8c141e2e3cc

          SHA1

          321e2b8e15dd6713163da84b775d5f7ccf68a067

          SHA256

          250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214

          SHA512

          3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          403KB

          MD5

          45c7bb96cf62c09ce2a2f8c141e2e3cc

          SHA1

          321e2b8e15dd6713163da84b775d5f7ccf68a067

          SHA256

          250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214

          SHA512

          3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • memory/1352-150-0x0000000005620000-0x00000000056BC000-memory.dmp

          Filesize

          624KB

        • memory/1352-148-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

        • memory/1860-164-0x0000000000E30000-0x0000000000E9C000-memory.dmp

          Filesize

          432KB

        • memory/2164-179-0x000000006F290000-0x000000006F2DC000-memory.dmp

          Filesize

          304KB

        • memory/2192-196-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/2500-156-0x0000000006110000-0x000000000612E000-memory.dmp

          Filesize

          120KB

        • memory/2500-160-0x0000000007100000-0x0000000007196000-memory.dmp

          Filesize

          600KB

        • memory/2500-158-0x0000000006E80000-0x0000000006E9A000-memory.dmp

          Filesize

          104KB

        • memory/2500-146-0x00000000054F0000-0x0000000005556000-memory.dmp

          Filesize

          408KB

        • memory/2500-153-0x000000006F290000-0x000000006F2DC000-memory.dmp

          Filesize

          304KB

        • memory/2500-144-0x0000000004AB0000-0x0000000004AD2000-memory.dmp

          Filesize

          136KB

        • memory/3180-198-0x000000006F2E0000-0x000000006F32C000-memory.dmp

          Filesize

          304KB

        • memory/3204-178-0x000000006F290000-0x000000006F2DC000-memory.dmp

          Filesize

          304KB

        • memory/3252-199-0x000000006F2E0000-0x000000006F32C000-memory.dmp

          Filesize

          304KB

        • memory/3332-180-0x000000006F290000-0x000000006F2DC000-memory.dmp

          Filesize

          304KB

        • memory/3876-175-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/3948-140-0x0000000008B40000-0x0000000008BD2000-memory.dmp

          Filesize

          584KB

        • memory/3948-135-0x0000000000E10000-0x0000000000E7A000-memory.dmp

          Filesize

          424KB

        • memory/3948-136-0x00000000080B0000-0x0000000008654000-memory.dmp

          Filesize

          5.6MB

        • memory/3948-143-0x0000000008AF0000-0x0000000008AFA000-memory.dmp

          Filesize

          40KB

        • memory/3964-185-0x0000000000840000-0x00000000008BC000-memory.dmp

          Filesize

          496KB

        • memory/4280-167-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

          Filesize

          32KB

        • memory/4280-155-0x000000006F290000-0x000000006F2DC000-memory.dmp

          Filesize

          304KB

        • memory/4280-141-0x0000000002F70000-0x0000000002FA6000-memory.dmp

          Filesize

          216KB

        • memory/4280-152-0x0000000006E70000-0x0000000006EA2000-memory.dmp

          Filesize

          200KB

        • memory/4280-157-0x00000000081F0000-0x000000000886A000-memory.dmp

          Filesize

          6.5MB

        • memory/4280-151-0x00000000068B0000-0x00000000068CE000-memory.dmp

          Filesize

          120KB

        • memory/4280-166-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

          Filesize

          104KB

        • memory/4280-142-0x0000000005B00000-0x0000000006128000-memory.dmp

          Filesize

          6.2MB

        • memory/4968-165-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

          Filesize

          56KB

        • memory/4968-159-0x0000000007A10000-0x0000000007A1A000-memory.dmp

          Filesize

          40KB

        • memory/4968-154-0x000000006F290000-0x000000006F2DC000-memory.dmp

          Filesize

          304KB

        • memory/4968-145-0x0000000005680000-0x00000000056E6000-memory.dmp

          Filesize

          408KB

        • memory/5100-200-0x000000006F2E0000-0x000000006F32C000-memory.dmp

          Filesize

          304KB