Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/08/2022, 19:31

General

  • Target

    67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe

  • Size

    3.6MB

  • MD5

    a4e7c52086fbf175cda3af56f9874664

  • SHA1

    24ada4a9bbbe6633644a1489fd369d6914d6798a

  • SHA256

    67d4d3b8f1560edaaa9dab45e4df8373ca6a82a1dfce6f11e4b4191b1b1d4eb8

  • SHA512

    52230da4900cd71304e82e1e95121e6fec91b0477e433ed5b5d8cebb1254b5d6917bffc6ecc9a441b98f2e2104efbebab26c5b3a9c89a4b6b4d0d91ee52d7d8e

Malware Config

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

C2

4Mekey.myftp.biz:1011

Mutex

7b646cd2fe5

Attributes
  • reg_key

    7b646cd2fe5

  • splitter

    @!#&^%$

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

OWN05

C2

4Mekey.myftp.biz:6606

4Mekey.myftp.biz:7707

4Mekey.myftp.biz:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

OWN05

C2

4Mekey.myftp.biz:8848

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

  • Windows security bypass 2 TTPs 7 IoCs
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • Async RAT payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 8 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe
    "C:\Users\Admin\AppData\Local\Temp\67D4D3B8F1560EDAAA9DAB45E4DF8373CA6A82A1DFCE6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
      "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4700
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3640
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Public\Documents\ePfJhYNKJdKcYgdNe\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4364
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1264
      • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
        "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3292
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3508
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\KOMNbVTeabKcNgPOV\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2560
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1228
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
    • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"
      2⤵
      • Windows security bypass
      • Executes dropped EXE
      • Checks computer location settings
      • Windows security modification
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3180
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\OPSZXUZIgTafXTVhZ\svchost.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1376
      • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe
        "C:\Users\Admin\AppData\Roaming\Windows Security Host.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1072
    • C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe
      "C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      PID:1248

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

          Filesize

          7.3MB

          MD5

          08c3094ab3b3f48e26b6298c5b536fc0

          SHA1

          eb3354a84b4df057d129db893e7da073ce966d9c

          SHA256

          604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3

          SHA512

          c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656

        • C:\Program Files (x86)\Adobe Inc\Adobe Installer\Set-up.exe

          Filesize

          7.3MB

          MD5

          08c3094ab3b3f48e26b6298c5b536fc0

          SHA1

          eb3354a84b4df057d129db893e7da073ce966d9c

          SHA256

          604bd340ee3bc601d213da08287ead8eef11ac30305ac55f2efcc56e611a58e3

          SHA512

          c1af72099f60df1cc1674a978674f95ab7298dfbd4219ef08387b7306c5fdca8287666992552b08b6d51788c62523f13f17e4cc76e44d5fd0ce649e6ae44d656

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          968cb9309758126772781b83adb8a28f

          SHA1

          8da30e71accf186b2ba11da1797cf67f8f78b47c

          SHA256

          92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

          SHA512

          4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          7fdf90b67f8cbf73576916b8c8e52c4a

          SHA1

          5f4f980bc588da96a20eb036d1baa0c97608b39c

          SHA256

          a5e3603b1e18a84d07f4b8b5daa9b3044478851fb31866cb9632085b3715cf5f

          SHA512

          3e013f73a4f04f332c7de5d7b6a8b0a86a6d7b53ad44cbcb63d9500595b51c5cb03fad0b09e08f03bee997eaa7e8a545b2f7d1c88155c783c52194dbf29bfbdd

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          fae21fdf345a02de4e0b47e6d1913def

          SHA1

          aa070f144df9d6215544fd819d4fbcce640fa2fd

          SHA256

          2082491942967a95af9f6a95797d1d5b7405279e533c9204ed0f659319ccebbf

          SHA512

          47a224ded73949de65b33b69ddad2af4fd448514a61dd2c7c65ae4cf420df3d1d064f430d33bf5e91ce3f109ccf7c6812b97664301a1eb3adf232051dec77303

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          fae21fdf345a02de4e0b47e6d1913def

          SHA1

          aa070f144df9d6215544fd819d4fbcce640fa2fd

          SHA256

          2082491942967a95af9f6a95797d1d5b7405279e533c9204ed0f659319ccebbf

          SHA512

          47a224ded73949de65b33b69ddad2af4fd448514a61dd2c7c65ae4cf420df3d1d064f430d33bf5e91ce3f109ccf7c6812b97664301a1eb3adf232051dec77303

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          91513bcd6b4b71d4f236fe09d6d65b2b

          SHA1

          1039b63c5e7717c2e12e34d0f7f8ae335b5b3348

          SHA256

          7bc80576bfe3f176501215ebff231d41848ac491be475019d790db4c018afc0d

          SHA512

          3cd823011f78640527f1129ac50530c41017037202381cbe3117f98ec6e10fa3ff3d4f9d9d1806747ca7eb24490746301a1998fdcef8f305db2417bd9d23e2d9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          74d6f87e498e81fca1a4269f390b7bcd

          SHA1

          9a24c9148aed0597b151131380fa9a62b92552b5

          SHA256

          b1054009c262fd3f59bd6bfb867c888567a6a3135dcb8ad52927ff84dc235441

          SHA512

          a219c5abdb292b39cd03fb4bac9080a00efe9043f069b777773991dcab7de175588fa0432e80bf9c1d600eeb5d7e5bcf19e2bfdcfda69225d37ee388c7a58fcb

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          74d6f87e498e81fca1a4269f390b7bcd

          SHA1

          9a24c9148aed0597b151131380fa9a62b92552b5

          SHA256

          b1054009c262fd3f59bd6bfb867c888567a6a3135dcb8ad52927ff84dc235441

          SHA512

          a219c5abdb292b39cd03fb4bac9080a00efe9043f069b777773991dcab7de175588fa0432e80bf9c1d600eeb5d7e5bcf19e2bfdcfda69225d37ee388c7a58fcb

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          2de04ee27889e0be8a2fe130e280f8ed

          SHA1

          8e89965b55bd01025cdb8baf27e66f65f9bbf289

          SHA256

          569f30c8de816c9835b918fe31962d87fd27c56fa7d158c395eb2dd2c498bf08

          SHA512

          8177bd1a78008ca54ceae4399649df6c7b8710f262262344d55d540abd35cad0e7d28090d907103733bce53ca12161f0c75e739422e8975c3c3bb141a530cb6e

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          18KB

          MD5

          60b041825c4ade5da8170194e91d3451

          SHA1

          6c155faf22e9beaca63b42f1f836ccaa36a120a5

          SHA256

          b661761c6d20317e336864da6e61716f345c3e6f25129792b0fc71f536db7ca8

          SHA512

          959b2eae4d84f5424362e7df6b8e764a1360aac933be05695aff08d2016f3d22c9497f00c3023715755eb9d78645e7dd08983808d97beccf2e41b0ea0df9be1f

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

          Filesize

          399KB

          MD5

          75233a6594888de3589ac556a04d36d8

          SHA1

          490efc1af779c47849ba20ca53a4dbac9e08185d

          SHA256

          fbbbb1a6cc5e40d0f92a911ebc95077801d73490f222845b3660f154fbbe2c80

          SHA512

          c866ef11b06e50920d3045c3a3ca9cc45bb88b143cbd1380b032770884bf3c1ad6ccee73eb5e742a94fe150481e7533931f628f94b026bf28566d1c44804035b

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          403KB

          MD5

          45c7bb96cf62c09ce2a2f8c141e2e3cc

          SHA1

          321e2b8e15dd6713163da84b775d5f7ccf68a067

          SHA256

          250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214

          SHA512

          3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          403KB

          MD5

          45c7bb96cf62c09ce2a2f8c141e2e3cc

          SHA1

          321e2b8e15dd6713163da84b775d5f7ccf68a067

          SHA256

          250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214

          SHA512

          3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

        • C:\Users\Admin\AppData\Local\Temp\svchost.exe

          Filesize

          403KB

          MD5

          45c7bb96cf62c09ce2a2f8c141e2e3cc

          SHA1

          321e2b8e15dd6713163da84b775d5f7ccf68a067

          SHA256

          250e21a581ab1a303458c385ad8188c4954930abeeb790d82962b328d1412214

          SHA512

          3640d49d6fd41d5474ea2c7f8754eeb2994c7c05e0bcbb74c84be178747497ac4ea7c8a3c458d9f179e8fe3ed8070c6a255821a3a0ffd072c430c4758f70b371

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • C:\Users\Admin\AppData\Roaming\Windows Security Host.exe

          Filesize

          471KB

          MD5

          fd4064ae04a7f4f8636454fcd7f77b00

          SHA1

          3934ea72fd6ecbd94cc28dcfbfe42aefd375abb2

          SHA256

          b6c4ee1924cb2e180c8525343c7933a88c3787f9043db340450dea0ca02f3aa5

          SHA512

          60aa0e8cfc4340830f25d93e41112289a120064d23cc1b419af9832588ac6c209139b64e2aac8227221e2e310dcab2c86a69a5362ff90a563cdf2e9d058f05bc

        • memory/524-194-0x000000006EED0000-0x000000006EF1C000-memory.dmp

          Filesize

          304KB

        • memory/1072-191-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/1228-177-0x000000006F1E0000-0x000000006F22C000-memory.dmp

          Filesize

          304KB

        • memory/1264-167-0x0000000007200000-0x0000000007208000-memory.dmp

          Filesize

          32KB

        • memory/1264-155-0x0000000006190000-0x00000000061AE000-memory.dmp

          Filesize

          120KB

        • memory/1264-158-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

          Filesize

          104KB

        • memory/1264-151-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

          Filesize

          120KB

        • memory/1264-163-0x0000000006F50000-0x0000000006F5A000-memory.dmp

          Filesize

          40KB

        • memory/1264-164-0x0000000007160000-0x00000000071F6000-memory.dmp

          Filesize

          600KB

        • memory/1264-165-0x0000000007110000-0x000000000711E000-memory.dmp

          Filesize

          56KB

        • memory/1264-154-0x000000006F510000-0x000000006F55C000-memory.dmp

          Filesize

          304KB

        • memory/1376-199-0x000000006EED0000-0x000000006EF1C000-memory.dmp

          Filesize

          304KB

        • memory/2560-175-0x000000006F1E0000-0x000000006F22C000-memory.dmp

          Filesize

          304KB

        • memory/3180-195-0x000000006EED0000-0x000000006EF1C000-memory.dmp

          Filesize

          304KB

        • memory/3292-148-0x0000000000400000-0x000000000040C000-memory.dmp

          Filesize

          48KB

        • memory/3292-150-0x0000000004FD0000-0x000000000506C000-memory.dmp

          Filesize

          624KB

        • memory/3508-176-0x000000006F1E0000-0x000000006F22C000-memory.dmp

          Filesize

          304KB

        • memory/3596-186-0x0000000000E50000-0x0000000000ECC000-memory.dmp

          Filesize

          496KB

        • memory/3640-146-0x0000000005520000-0x0000000005586000-memory.dmp

          Filesize

          408KB

        • memory/3640-140-0x0000000002BF0000-0x0000000002C26000-memory.dmp

          Filesize

          216KB

        • memory/3640-166-0x0000000007B30000-0x0000000007B4A000-memory.dmp

          Filesize

          104KB

        • memory/3640-156-0x000000006F510000-0x000000006F55C000-memory.dmp

          Filesize

          304KB

        • memory/4112-162-0x0000000000280000-0x00000000002EC000-memory.dmp

          Filesize

          432KB

        • memory/4364-144-0x0000000004900000-0x0000000004922000-memory.dmp

          Filesize

          136KB

        • memory/4364-152-0x0000000006980000-0x00000000069B2000-memory.dmp

          Filesize

          200KB

        • memory/4364-157-0x0000000007320000-0x000000000799A000-memory.dmp

          Filesize

          6.5MB

        • memory/4364-142-0x0000000004D10000-0x0000000005338000-memory.dmp

          Filesize

          6.2MB

        • memory/4364-153-0x000000006F510000-0x000000006F55C000-memory.dmp

          Filesize

          304KB

        • memory/4364-145-0x0000000004CA0000-0x0000000004D06000-memory.dmp

          Filesize

          408KB

        • memory/4536-181-0x0000000000400000-0x0000000000412000-memory.dmp

          Filesize

          72KB

        • memory/4700-141-0x00000000086F0000-0x0000000008782000-memory.dmp

          Filesize

          584KB

        • memory/4700-143-0x0000000008680000-0x000000000868A000-memory.dmp

          Filesize

          40KB

        • memory/4700-136-0x0000000007BE0000-0x0000000008184000-memory.dmp

          Filesize

          5.6MB

        • memory/4700-135-0x0000000000E10000-0x0000000000E7A000-memory.dmp

          Filesize

          424KB