Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/10/2023, 21:08

General

  • Target

    NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe

  • Size

    937KB

  • MD5

    8fd6c6512d4bfea996c2b0a5c97efda6

  • SHA1

    a30f216b69e47321c6c6dc08566b72a2cb7d426c

  • SHA256

    22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3

  • SHA512

    d87fd494c681da5190e495a15aee7efe82c856f2df236ddea62f7a2bcdd10451ac208ca805da740b04e091ec6674f913a3732ca2678a00785dbf51d49969d476

  • SSDEEP

    24576:0yzjvNtNFfeH+crXgczCFYM2AjFYLIVe2LyeaySb8Blf:DVhmH+crgcotTjZY2dy8D

Malware Config

Extracted

Family

amadey

Version

3.87

C2

http://77.91.68.18/nice/index.php

Attributes
  • install_dir

    b40d11255d

  • install_file

    saves.exe

  • strings_key

    fa622dfc42544927a6471829ee1fa9fe

rc4.plain

Extracted

Family

redline

Botnet

narik

C2

77.91.124.82:19071

Attributes
  • auth_value

    07924f5ef90576eb64faea857b8ba3e5

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Detect Mystic stealer payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
  • Mystic

    Mystic is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.22c7d4ccdd92462496f3a591113d432dc726a95fe6bdf3b05a7ca86f7ad8a0e3_JC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3712
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4456
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1068
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:3944
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe"
                7⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3196
                • C:\Windows\SysWOW64\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN saves.exe /TR "C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe" /F
                  8⤵
                  • Creates scheduled task(s)
                  PID:864
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "saves.exe" /P "Admin:N"&&CACLS "saves.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b40d11255d" /P "Admin:N"&&CACLS "..\b40d11255d" /P "Admin:R" /E&&Exit
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1260
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                    9⤵
                      PID:1564
                    • C:\Windows\SysWOW64\cacls.exe
                      CACLS "saves.exe" /P "Admin:N"
                      9⤵
                        PID:4444
                      • C:\Windows\SysWOW64\cacls.exe
                        CACLS "saves.exe" /P "Admin:R" /E
                        9⤵
                          PID:4596
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /S /D /c" echo Y"
                          9⤵
                            PID:1560
                          • C:\Windows\SysWOW64\cacls.exe
                            CACLS "..\b40d11255d" /P "Admin:N"
                            9⤵
                              PID:756
                            • C:\Windows\SysWOW64\cacls.exe
                              CACLS "..\b40d11255d" /P "Admin:R" /E
                              9⤵
                                PID:1696
                      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe
                        5⤵
                        • Executes dropped EXE
                        PID:4788
                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
                      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe
                      4⤵
                      • Executes dropped EXE
                      PID:2872
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:1920
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:5116
              • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe
                1⤵
                • Executes dropped EXE
                PID:4976

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

                      Filesize

                      831KB

                      MD5

                      dbba888150db2bb4a7b3892f0c2aab6e

                      SHA1

                      8fc323a19c8281fc99e5445f271dbe02a3ebd7f0

                      SHA256

                      313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2

                      SHA512

                      4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5391684.exe

                      Filesize

                      831KB

                      MD5

                      dbba888150db2bb4a7b3892f0c2aab6e

                      SHA1

                      8fc323a19c8281fc99e5445f271dbe02a3ebd7f0

                      SHA256

                      313f81ade73bce713b617b2d27636a87a1579663f3b9f9e75220d37d620550d2

                      SHA512

                      4aa9c1b5d3332ca0704ccfa3e60fd0a5a28c217df9456085f46d419b5775aa1a3712ad5351b72d58a482e17849334539061ce3064c09d6c13449b1ff37f624d9

                    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

                      Filesize

                      706KB

                      MD5

                      e839f87fd3f5e5a6df6091450221883b

                      SHA1

                      0a9e64a9da8656af2283d7a5a60b358f5a0acbeb

                      SHA256

                      88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278

                      SHA512

                      bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

                    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5765111.exe

                      Filesize

                      706KB

                      MD5

                      e839f87fd3f5e5a6df6091450221883b

                      SHA1

                      0a9e64a9da8656af2283d7a5a60b358f5a0acbeb

                      SHA256

                      88fdcf0ec725ee01e48a54088d50ed6280cf7cd89681478d2f5a00595dd03278

                      SHA512

                      bc0610a2e7544d583dc9b4518b25c34abfa7ae1891fe732d998f5c23c718a6465e838cce26a407618fb79d37f83167f5ffe1d38822559ffe2227b010a6ff9464

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

                      Filesize

                      174KB

                      MD5

                      b262404fe9049079c2e05db9b17079fe

                      SHA1

                      b1092a6ab4c9b6800c2417780e53d23580f63870

                      SHA256

                      5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46

                      SHA512

                      4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1669327.exe

                      Filesize

                      174KB

                      MD5

                      b262404fe9049079c2e05db9b17079fe

                      SHA1

                      b1092a6ab4c9b6800c2417780e53d23580f63870

                      SHA256

                      5a26674c67a8fd5a8eb35a7a84b486f533fb9527b9470da6713365a79d74cb46

                      SHA512

                      4b3c83b5d9dfbad5d6a18c514e0a4cd54176582c46f3a653f6460a1172fb5919f36229cb7d06a63874ddc6df10f0267e279287344f06b8cc5163a7b5f34425e4

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

                      Filesize

                      550KB

                      MD5

                      63bc13e574cfeb9622e34aad7c559d5f

                      SHA1

                      8fe8c12f3f78da28457caaa10dd20479ea0e78df

                      SHA256

                      b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e

                      SHA512

                      069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

                    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7694867.exe

                      Filesize

                      550KB

                      MD5

                      63bc13e574cfeb9622e34aad7c559d5f

                      SHA1

                      8fe8c12f3f78da28457caaa10dd20479ea0e78df

                      SHA256

                      b18a97ed0ba822f7bfbca44a65f13bcd6280455d74bbf2dda9c0b7f56b08a60e

                      SHA512

                      069adc723237599442cd30f85724deaf54ade5782dfbef0b31e05812777dc8d16b1deb849b6cdd05d5ea91e21636d65a1bada60080282f56b3a44913aec16a31

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

                      Filesize

                      141KB

                      MD5

                      ffbf7f9ca30baf18f24f8134b2f9c0b6

                      SHA1

                      c2c058c8e9be043a0f51f6aa933b12b86b9f8f72

                      SHA256

                      cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425

                      SHA512

                      090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9317585.exe

                      Filesize

                      141KB

                      MD5

                      ffbf7f9ca30baf18f24f8134b2f9c0b6

                      SHA1

                      c2c058c8e9be043a0f51f6aa933b12b86b9f8f72

                      SHA256

                      cad1192638fe3e319e964f89ca363c1b99387e5f2fc5607528b73cfcefc05425

                      SHA512

                      090f9ee4c0f8c727906b610236d1549b437c89445fea389a4bd11b9ca112bb88e74b5220ecc506077eee6c5c99963793f6694de20cb5b4228b024df409fbd507

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

                      Filesize

                      384KB

                      MD5

                      146989df77714912f43d481988710f13

                      SHA1

                      1bcdcf2d08e9b5aed33fe500b03d1650496d608c

                      SHA256

                      50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c

                      SHA512

                      7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

                    • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0352362.exe

                      Filesize

                      384KB

                      MD5

                      146989df77714912f43d481988710f13

                      SHA1

                      1bcdcf2d08e9b5aed33fe500b03d1650496d608c

                      SHA256

                      50552e4d14efbc039fa6b5fe6656e204ab3892b00c2a00c641696063daeeb68c

                      SHA512

                      7f6b7a5fc1733e401608d957f00fae19a8fb4c7a6820c5fc7da542635a614522719a4e6fbdeedc13d55d8ce56cde22ebadde0ffba7eb28b46d7ac2d3ca4ada93

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

                      Filesize

                      184KB

                      MD5

                      9c6be8c3e7ba9cb9317436fbeffd6a27

                      SHA1

                      729d6a3ad58bcf305f01123f4cefe42106a7ef40

                      SHA256

                      19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035

                      SHA512

                      cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9245948.exe

                      Filesize

                      184KB

                      MD5

                      9c6be8c3e7ba9cb9317436fbeffd6a27

                      SHA1

                      729d6a3ad58bcf305f01123f4cefe42106a7ef40

                      SHA256

                      19a441c13c1ca39d48065284b37e867582402fe29db28a1d3cd10565b8073035

                      SHA512

                      cb74a124312172719451678bab57b1d417b7110d6238177cbc01d6fb9ed7ad0bb8976a0a0a311a5f7321f5adcb4e35661f7d4452d9cf48bde3d316492e4c84b5

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3660032.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • C:\Users\Admin\AppData\Local\Temp\b40d11255d\saves.exe

                      Filesize

                      333KB

                      MD5

                      252e0dbbc9cad09238b4393b98c6dad5

                      SHA1

                      22878b8de1eac378a8b10d5076dff6ca6240d100

                      SHA256

                      b5bb1755c847fb8c9031fb2086e9fb6c87d3aa9ee9177206a834c0c85915d3eb

                      SHA512

                      d328949f2a3f58bcc6158729c82b7912831fea0fdd46e01029a6ba4c74acaa9ce321a07218ec9de8ebfb70be17822f813c5b7c40dcaf94cf8c759449e4aca296

                    • memory/1068-39-0x0000000004A80000-0x0000000005024000-memory.dmp

                      Filesize

                      5.6MB

                    • memory/1068-44-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-56-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-58-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-60-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-62-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-64-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-66-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-68-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-69-0x0000000073C40000-0x00000000743F0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/1068-70-0x0000000004A70000-0x0000000004A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1068-71-0x0000000004A70000-0x0000000004A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1068-73-0x0000000073C40000-0x00000000743F0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/1068-52-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-50-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-48-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-46-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-54-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-42-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-41-0x0000000004990000-0x00000000049A6000-memory.dmp

                      Filesize

                      88KB

                    • memory/1068-40-0x0000000004990000-0x00000000049AC000-memory.dmp

                      Filesize

                      112KB

                    • memory/1068-38-0x0000000004A70000-0x0000000004A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/1068-35-0x0000000002240000-0x000000000225E000-memory.dmp

                      Filesize

                      120KB

                    • memory/1068-36-0x0000000073C40000-0x00000000743F0000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/1068-37-0x0000000004A70000-0x0000000004A80000-memory.dmp

                      Filesize

                      64KB

                    • memory/2872-95-0x0000000004FC0000-0x00000000055D8000-memory.dmp

                      Filesize

                      6.1MB

                    • memory/2872-96-0x0000000004AC0000-0x0000000004BCA000-memory.dmp

                      Filesize

                      1.0MB

                    • memory/2872-98-0x0000000004990000-0x00000000049A0000-memory.dmp

                      Filesize

                      64KB

                    • memory/2872-97-0x0000000004A00000-0x0000000004A12000-memory.dmp

                      Filesize

                      72KB

                    • memory/2872-99-0x0000000004A60000-0x0000000004A9C000-memory.dmp

                      Filesize

                      240KB

                    • memory/2872-100-0x0000000004BD0000-0x0000000004C1C000-memory.dmp

                      Filesize

                      304KB

                    • memory/2872-94-0x00000000020D0000-0x00000000020D6000-memory.dmp

                      Filesize

                      24KB

                    • memory/2872-102-0x0000000072BD0000-0x0000000073380000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/2872-103-0x0000000004990000-0x00000000049A0000-memory.dmp

                      Filesize

                      64KB

                    • memory/2872-93-0x0000000072BD0000-0x0000000073380000-memory.dmp

                      Filesize

                      7.7MB

                    • memory/2872-92-0x0000000000070000-0x00000000000A0000-memory.dmp

                      Filesize

                      192KB