Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-11-2022 20:27

General

  • Target

    4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe

  • Size

    14.0MB

  • MD5

    49c40f0da1820f135afa3de1cb7264d2

  • SHA1

    64d415cbd339c40de86ab50b5ef2f416fa9b7584

  • SHA256

    4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba

  • SHA512

    59f263420c3b3a444c241c78ddc1dd48958159654584f5c20c098f4d64761cd0dab3aee822a4e57bb6d9dda01b30218574d45299f68a18e99f8fcac608fac2c6

  • SSDEEP

    393216:RnIvC5BvWLlT9QhbChS/PEY6YjoqxBP7dGSX0CzMe7D8lGQq:CvQuLlT9UbCk3d6YMazdGSX0zeccQq

Malware Config

Signatures

  • Detect PurpleFox Rootkit 4 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 4 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Executes dropped EXE 4 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 51 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe
    "C:\Users\Admin\AppData\Local\Temp\4c77d8805ace5026f549bf3085567d2c5d8413bbaca48c5cc474622bb0b2ccba.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Users\Admin\AppData\Local\Temp\z.exe
      "C:\Users\Admin\AppData\Local\Temp\z.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4056
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe" C:\Users\Public\Music\tpdwht
        3⤵
          PID:3432
      • C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe
        "C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:848
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe
        "C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe" C:\Users\Admin\AppData\Roaming\sxkxv\llh.zip -d C:\Users\Admin\AppData\Roaming
        2⤵
        • Executes dropped EXE
        • Drops startup file
        PID:2704
      • C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exe
        "C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3136
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5068

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Modify Registry

      1
      T1112

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      4
      T1082

      Peripheral Device Discovery

      1
      T1120

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\SHELL.TXT
        Filesize

        1.2MB

        MD5

        6c31255e56b22ff932555778af8798d7

        SHA1

        4cd2c651c1bb4d8bf861d6acf379c8f6e7a25b8a

        SHA256

        9bb3e1d29f1527268455a26c640fd09bca608b2bc1559dc9deda94aa2221abcd

        SHA512

        9880a646ae7db6b395a0605f15daaab1f9c7d890167e68b395981f4feefb4c9d824f943fa0b7b692a89622920a034386e4a1540d7c2220db29f00e7f2ca61b4f

      • C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe
        Filesize

        12.3MB

        MD5

        8834ec8d35669dd623ba5c6986ff2748

        SHA1

        1a475633f1ea1ab47edb1c030ce2ea933c0a934c

        SHA256

        addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

        SHA512

        00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

      • C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe
        Filesize

        12.3MB

        MD5

        8834ec8d35669dd623ba5c6986ff2748

        SHA1

        1a475633f1ea1ab47edb1c030ce2ea933c0a934c

        SHA256

        addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

        SHA512

        00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

      • C:\Users\Admin\AppData\Local\Temp\nsw73AF.tmp\System.dll
        Filesize

        11KB

        MD5

        75ed96254fbf894e42058062b4b4f0d1

        SHA1

        996503f1383b49021eb3427bc28d13b5bbd11977

        SHA256

        a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

        SHA512

        58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      • C:\Users\Admin\AppData\Local\Temp\nsw73AF.tmp\nsDialogs.dll
        Filesize

        9KB

        MD5

        ca95c9da8cef7062813b989ab9486201

        SHA1

        c555af25df3de51aa18d487d47408d5245dba2d1

        SHA256

        feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

        SHA512

        a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

      • C:\Users\Admin\AppData\Local\Temp\z.exe
        Filesize

        3.5MB

        MD5

        5ec042f2b4bffa71501639b9b4fe9596

        SHA1

        8b451dffe0cd8e18b96302351f6ed523a47e1df9

        SHA256

        a5fa2878305867e1644d1d0c65395cf73be28d64b76bbad6b978f55d3811563e

        SHA512

        10fe50b31e2f60b8c27a535f3eba85874b93f9392cac0a544500446801963c142eb7806cf35213d33f926f924d97657a1cb622e5a353db8ac9cc07432eb29263

      • C:\Users\Admin\AppData\Local\Temp\z.exe
        Filesize

        3.5MB

        MD5

        5ec042f2b4bffa71501639b9b4fe9596

        SHA1

        8b451dffe0cd8e18b96302351f6ed523a47e1df9

        SHA256

        a5fa2878305867e1644d1d0c65395cf73be28d64b76bbad6b978f55d3811563e

        SHA512

        10fe50b31e2f60b8c27a535f3eba85874b93f9392cac0a544500446801963c142eb7806cf35213d33f926f924d97657a1cb622e5a353db8ac9cc07432eb29263

      • C:\Users\Admin\AppData\Roaming\sxkxv\llh.zip
        Filesize

        1KB

        MD5

        667469a889f4d759102317346612aeea

        SHA1

        71363d59029db2608b9c7f948bf71de32ce3a39f

        SHA256

        b66cda3e9595ad75fd1061e02c5c358154ae6cef2da21135d8a3657e0de5495d

        SHA512

        867c45bed7312817a38c760ae9074bf3cff85537ba87b0aefdef6057cf04d0a2f7a62d8dd474b8933ac3c086a9c13f7d8e9fe52201ea5f71646053bed6d8a2b3

      • C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe
        Filesize

        40KB

        MD5

        d3ed82f676591a9c47037a7b66908832

        SHA1

        49533ea0b019b76131c14936814f99b9794d506b

        SHA256

        0ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455

        SHA512

        c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986

      • C:\Users\Admin\AppData\Roaming\sxkxv\rksr.exe
        Filesize

        40KB

        MD5

        d3ed82f676591a9c47037a7b66908832

        SHA1

        49533ea0b019b76131c14936814f99b9794d506b

        SHA256

        0ef64a90dad0929f282fa1425422b2ffd70bf2ac803371fe3c780afefad66455

        SHA512

        c79e09b8f47200acec33042cf183ead8cb3f7f87380e2ee4b3a2d6a05d96305277dea13974714d3e8ff8dd7c4733a2e4e93e137408de66ef60b6ec6f3e862986

      • C:\Users\Public\Music\tpdwht\bhalol.lnk
        Filesize

        1KB

        MD5

        96b6dba72641c39c8a04abd6958e6dad

        SHA1

        3fe49fdee6f9c25beeff823a5a1589fe1be475de

        SHA256

        66cfdc3b8a9d68af7d6f8bdffdbd6dec5c8d51770db4eff423ed5b426c141f49

        SHA512

        7ad46bfd1aaca5ad9dcb49b34a61113f61ac121d14ee6e2f7af69f95dad6c8d16444252f61c626ccde301aefeff9ed2a91d9e79bf44be707ba61c4794c8db78e

      • C:\Users\Public\Music\tpdwht\cgkifko.url
        Filesize

        136B

        MD5

        aadb845c50e2308962b91b3259b37a79

        SHA1

        e9df5cc17f41e31778c262ebea0cce7f388473ff

        SHA256

        e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4

        SHA512

        cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401

      • C:\Users\Public\Music\tpdwht\cnnmsoc.url
        Filesize

        136B

        MD5

        aadb845c50e2308962b91b3259b37a79

        SHA1

        e9df5cc17f41e31778c262ebea0cce7f388473ff

        SHA256

        e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4

        SHA512

        cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401

      • C:\Users\Public\Music\tpdwht\espstn.lnk
        Filesize

        1KB

        MD5

        a43b78be4e643dc3fce442741d417817

        SHA1

        ccb22ffb8797269851a316182f0963af62979921

        SHA256

        84feece66bba081c2a1de1ffc55eb2dea12b0c01bd22104ea10ed44662cad35c

        SHA512

        2de2b6af6c99fe744edff9ec2ae2651d10dc3eaf8f50f25019fdd9a058c5178ec1c3bb8d62aa8cd1f661fdc59b6e6afe77cacd5a7e4d20b1514cf188ec6af92f

      • C:\Users\Public\Music\tpdwht\fcakdqd.url
        Filesize

        136B

        MD5

        aadb845c50e2308962b91b3259b37a79

        SHA1

        e9df5cc17f41e31778c262ebea0cce7f388473ff

        SHA256

        e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4

        SHA512

        cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401

      • C:\Users\Public\Music\tpdwht\fgliqi.lnk
        Filesize

        1KB

        MD5

        2e9085405e7677819423e3fe1e5f4f9c

        SHA1

        afab73f9afd09675de51265d4de66bab2889319e

        SHA256

        8a9b7aaf180b099627f7bfcb5f0fbbee44c4762d2eee651d51720f9865f3b347

        SHA512

        3090f7196b8a2173066f24157a89e666d2f96d73f3d833e01f3d2f5bd2a8958f5479f4c879466624db7248838b569aa510669f3c7b0ee67def5a3ffaee0ffd79

      • C:\Users\Public\Music\tpdwht\gvgrcq.lnk
        Filesize

        1KB

        MD5

        cb540b5c212527414e56c9bafc9baa5d

        SHA1

        430afc7a428322df44b74edaf6a21522e3ca1792

        SHA256

        ebf27436b2df4935043ed49825e9a979b22b8d507ef5b2f5a6356ff91a29f5a2

        SHA512

        16c20e7b36782bc6fa39f4ef6d525e0239cc86247286265b18cbdd7adcf591becd7d9d2194b232d8ae0fe16b41899c45f540595c84a61a50c2e55bbaf0d77898

      • C:\Users\Public\Music\tpdwht\gvwdqgu.url
        Filesize

        136B

        MD5

        aadb845c50e2308962b91b3259b37a79

        SHA1

        e9df5cc17f41e31778c262ebea0cce7f388473ff

        SHA256

        e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4

        SHA512

        cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401

      • C:\Users\Public\Music\tpdwht\ksqqiu.lnk
        Filesize

        1KB

        MD5

        1c2c31c3b90f2db5859994c48215a726

        SHA1

        57d1cf7d931897d8db2d0d7e6644f1647abf5a74

        SHA256

        a5708555d08b6b45d4123629358258e584fa53fb2796eff9329cf0cb9713776d

        SHA512

        35dd7ed4439c066fa7af97319d9631cf881606aaae5ffe078e6248be68f1358dd7e6ad5a43aa23fc05a166e569357069630ea8c6e1955f17a67a6db0dc754239

      • C:\Users\Public\Music\tpdwht\osguhgr.url
        Filesize

        136B

        MD5

        aadb845c50e2308962b91b3259b37a79

        SHA1

        e9df5cc17f41e31778c262ebea0cce7f388473ff

        SHA256

        e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4

        SHA512

        cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401

      • C:\Users\Public\Music\tpdwht\vsfrqwp.url
        Filesize

        136B

        MD5

        aadb845c50e2308962b91b3259b37a79

        SHA1

        e9df5cc17f41e31778c262ebea0cce7f388473ff

        SHA256

        e86643fc4ef20c33517c43d0c62e03ecdd08ae7d71b7e28f604ef9020b0f73d4

        SHA512

        cfa74948f96713750368167feff52a20897ed962b9dff6406e98629a3938fe157ec26acb041c2f00283b2937fcf143979ce551f17d40bb23dc0fe13e23e13401

      • C:\Users\Public\Music\tpdwht\xmucuo.lnk
        Filesize

        1KB

        MD5

        2f681078b4f3d43b3964b17de4e0cb3e

        SHA1

        1213b07de9ff50c45b5698c6c06065737af80ef3

        SHA256

        1f07e4eab21a96733eadb375143f82484d2d280cc5f34ebf976cdd7517bf65ef

        SHA512

        b7e673b61fb23502b77a28dfaeb86320bb3c7718b6bbfc1a0010a0295964de6fb7b8094e849c4a75edc0cb97f14b33049c3fff5b962f959550c14b5ce4414a1b

      • C:\Users\Public\Pictures\Vrice\uxdipm\libeay32.dll
        Filesize

        1.2MB

        MD5

        0b3347d4b6a87d4f5ca29dd500683ab6

        SHA1

        2c3fd9d2802812e64f47bf9ab1e1028796c58441

        SHA256

        d74c7eef6fb6ac5d09f9778e504999bb7332b67ac2051f1888c7a714c28f6cb4

        SHA512

        cf94d4b2ed9107c291f43f68beb41b6126d4fb6b02d2b71444d4b8f1cd383b8eb76fd6de4a0cc7633256f4cbbc3d7329e8710bfa07bda6dcc1db4ae232d68767

      • C:\Users\Public\Pictures\Vrice\uxdipm\libeay32.dll
        Filesize

        1.2MB

        MD5

        0b3347d4b6a87d4f5ca29dd500683ab6

        SHA1

        2c3fd9d2802812e64f47bf9ab1e1028796c58441

        SHA256

        d74c7eef6fb6ac5d09f9778e504999bb7332b67ac2051f1888c7a714c28f6cb4

        SHA512

        cf94d4b2ed9107c291f43f68beb41b6126d4fb6b02d2b71444d4b8f1cd383b8eb76fd6de4a0cc7633256f4cbbc3d7329e8710bfa07bda6dcc1db4ae232d68767

      • C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exe
        Filesize

        340KB

        MD5

        83020e8c25dd7d078733fe74c80d9b46

        SHA1

        57aa17d77a4912ed48b086cc86e78ffde7646aaa

        SHA256

        33b1ff750a50970f7646806c41e444ce956566691efe735b2ff541c429c2b2d6

        SHA512

        8b958749c6504874109adda9eb7bcc077e68474abd5fb2914aa1dd1212cf3e4c79c678aee7f23ef99a608fdd24fb39e12e57881db8708935a78999c999a70faa

      • C:\Users\Public\Pictures\Vrice\uxdipm\rioyeh.exe
        Filesize

        340KB

        MD5

        83020e8c25dd7d078733fe74c80d9b46

        SHA1

        57aa17d77a4912ed48b086cc86e78ffde7646aaa

        SHA256

        33b1ff750a50970f7646806c41e444ce956566691efe735b2ff541c429c2b2d6

        SHA512

        8b958749c6504874109adda9eb7bcc077e68474abd5fb2914aa1dd1212cf3e4c79c678aee7f23ef99a608fdd24fb39e12e57881db8708935a78999c999a70faa

      • C:\Users\Public\Pictures\Vrice\uxdipm\ssleay32.dll
        Filesize

        425KB

        MD5

        68e32ca1d7031ff1bfeaef5080a7806c

        SHA1

        8b43f487401145e188b9ee4bfdcfd263f0c50a5f

        SHA256

        702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63

        SHA512

        a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae

      • C:\Users\Public\Pictures\Vrice\uxdipm\ssleay32.dll
        Filesize

        425KB

        MD5

        68e32ca1d7031ff1bfeaef5080a7806c

        SHA1

        8b43f487401145e188b9ee4bfdcfd263f0c50a5f

        SHA256

        702c06cd8b4d10340ce1e5064183c28146cea864a606db416e29c2edd38c2d63

        SHA512

        a13c33c0a25faf54816436585c3250f50df1c685495ef1ae51417fc4489e9d527e30ad03c4f2b4f3d17cdbb1abd1c820b154faa55705e588921d8fb392a033ae

      • C:\Users\Public\Pictures\Vrice\uxdipm\wc.xml
        Filesize

        136KB

        MD5

        dbb0d2c7f913e7dfd789ec11882ef84b

        SHA1

        550cd38fa09b60af1ef949f81fab6ba38497137a

        SHA256

        8f6c04f0d5b52d36d83593070b52d9c14d75568ce3db1a2728263a356193fdbb

        SHA512

        dc70e4c8fdc44a1100febd4456ba410cd5d1f386c44ec7d6fdf0c8672a0344359f2991cf1a4e61bbe2d06cf8f49aaf2c35fd171c7495ce5a46b1850a74990334

      • C:\Users\Public\Pictures\Vrice\uxdipm\zlib1.dll
        Filesize

        98KB

        MD5

        d90dad5eea33a178bac56fff2847d4c2

        SHA1

        cbbce727fd8447487c7fc68051b24df17d043649

        SHA256

        104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf

        SHA512

        8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb

      • C:\Users\Public\Pictures\Vrice\uxdipm\zlib1.dll
        Filesize

        98KB

        MD5

        d90dad5eea33a178bac56fff2847d4c2

        SHA1

        cbbce727fd8447487c7fc68051b24df17d043649

        SHA256

        104162a59e7784e1fe2ec0b7db8836e1eb905abfd1602a05d86debe930b40cbf

        SHA512

        8dbe57e32554d049a0779c40645dfbad2eaa1eeaf746898cd44f8686265f1fd4f84d6f857ba40644294d817d5c5eab6ba6271df55c56047fd16c10b8478184eb

      • memory/848-136-0x0000000000000000-mapping.dmp
      • memory/2704-154-0x0000000000400000-0x000000000042B000-memory.dmp
        Filesize

        172KB

      • memory/2704-151-0x0000000000000000-mapping.dmp
      • memory/3136-174-0x0000000000730000-0x0000000000753000-memory.dmp
        Filesize

        140KB

      • memory/3136-173-0x0000000010000000-0x00000000101D4000-memory.dmp
        Filesize

        1.8MB

      • memory/3136-172-0x00000000038F0000-0x0000000003A95000-memory.dmp
        Filesize

        1.6MB

      • memory/3136-162-0x0000000000000000-mapping.dmp
      • memory/3136-175-0x00000000037B0000-0x00000000038E8000-memory.dmp
        Filesize

        1.2MB

      • memory/3136-176-0x00000000038F0000-0x0000000003A95000-memory.dmp
        Filesize

        1.6MB

      • memory/3136-177-0x00000000038F0000-0x0000000003A95000-memory.dmp
        Filesize

        1.6MB

      • memory/3432-141-0x0000000000000000-mapping.dmp
      • memory/4056-148-0x0000000006070000-0x0000000006614000-memory.dmp
        Filesize

        5.6MB

      • memory/4056-149-0x0000000005AC0000-0x0000000005B52000-memory.dmp
        Filesize

        584KB

      • memory/4056-133-0x0000000000000000-mapping.dmp
      • memory/4988-132-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB